Solved

Windows Admin pack - AD DS

Posted on 2009-04-08
3
460 Views
Last Modified: 2013-12-04
If any users in our domain installs Windows Admin Pack on their XP machine they are able to manage\access all Active directory domain services (ADUC, AD sites and services, CA....etc).  Users are not members of any elevated domain groups, in fact I created a test user who was only a member of domain users and it was able to access all AD DS.  Checked the domain users group which has not got any elevated permissions.  
Luckily I am the only one who knows about this at the moment so I am eager to secure AD DS before anyone else finds out.
0
Comment
Question by:redfoxsupport
3 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 125 total points
ID: 24094654
AD is "read" by design for all authenticated users so they will be able to "lurk" with snap-ins from the admin pack.

You can make a GPO and link it to the OU where your users is located that will deny snap-ins:

User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted\Permitted snap-ins\Group Policy


SG
0
 
LVL 4

Assisted Solution

by:rentonc
rentonc earned 125 total points
ID: 24094687
It could be group membership....
You could make a list of the groups that the user is a member of then look at the properties of each group to see what each group is a member of. it may be the domain users group is a memebr of a group which is in the domain admins group which is not apparent.

It might be a policy or delegate control issue -
you could open ADUC and right click on the top level domain and choose all tasks and resultant set of policy option, if you go through the defaults and seelct a username then it will show you what the group policies are that are defined (you can do this on each ou but Im assuming becasue they have full domain admin rights the policy would be set at the top level)
the view is similar to that of the gpedit.msc plugin - loo in the computer donfig\windows settings\security settings .....
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now