Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Who can create user objects

Posted on 2011-09-22
33
Medium Priority
?
253 Views
Last Modified: 2012-06-27
How can I go about identifying every AD account in our domain that can create or edit new AD objects such as accounts/groups?

Thanks
0
Comment
Question by:pma111
  • 18
  • 15
33 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 36579525
By default only Enterprise Administrators, Domain Administrators and Account Operators can do that
Just verify those groups membership to get information who can do that. Account operators cannot modify Domain/Enterprise Admins properties/attributes/groups

Regards,
Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579528
When you say "by default" perhaps indicates some others may also be able to do this?

Any idea how to identify any non default groups or users who have been given this permission?

Thanks
0
 
LVL 3

Author Comment

by:pma111
ID: 36579534
And what about other domains in the forest, how can we tell which users in other domains could technically become an account in our domain - or create an account for our domain?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579542
Yes, it's not so simple without 3rd party tool. You need to check Active Directory Delegation. In ADUC console you need to go to view -> advanced features. Now click right mouse button on your domain and each OU and check properties. On a security tab you will see if there are more that those specified.

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579553
All those things you will see on a Security tab of a domain or OUs
Maybe some other 3rd party tools would audit that but I don't know any.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579559
I couldnt even find a group called account operators ?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579566
Go to Builtin container in ADUC

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579588
Will do - thanks

Can you let me know in laymans terms what the "builtin" container really represents in terms of AD, and AD security?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579604
Normally, each server has local groups and users where they are stored. DCs have no local users and computers, it's moved to AD database within Builtin and users containers. You cannot use GPOs on containers, they are only applied to OUs. That's for security reasons.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579815
Cool thanks.

Out of interest - aside from users who can create new user objects - are there any other higher risk domain permissions that we should audit? ie if users other than admins had these permissions they could do mischeivious things?

Or is the ability to create new users probably the most dangerous in the domain?
0
 
LVL 3

Author Comment

by:pma111
ID: 36579819
PS - if you had a bookmark of all default permissions and subsequent groups/acls for these kind of domain wide permissions please send a link?
0
 
LVL 3

Author Comment

by:pma111
ID: 36579830
and is the permission "create child object" for users who can create a new user?
0
 
LVL 3

Author Comment

by:pma111
ID: 36579839
i thought you could only create a user object in a domain?

If i see a permission at a OU level for create user but the same permission is not set at domain level - does that mean they can or cant create a new user?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36580132
OK, let's start from the first post I missed :)

ID:36579815 -> the most dangerous thing in AD is giving to much permissions to users (i.e. putting them into Domain Admins/Enterpise Admins/Account Operators groups). It's much more secure to use AD Delegation wizard to give them rights. Please view Mike's blog for that, it's interesting topic at
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

If you do not give them group membership or delegated control, don't worry, they won't be able to create new users in a domain

ID:36579819 -> sorry, I haven't got. But I would try to install default AD instance in a VM and post screens

ID:36579830 -> that means, user can create objects within this OU and sub OUs

ID:36579839 -> yes, you can create object in a domain, but everything depends on its location :) Granting user permission on a domain allows him to create new users in each OU. When you grant this option for an OU (delegated wizard control) then he is able to create new accounts only in that particular OU

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36580156
Ok thanks - but when I right click our domain > properties > security.

I cant see a permission called "create new user" or similar?

So what is the exact name of the permission that allows folk to create new users?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36582869
For that, you need to dig deeper :)
Choose OU to examine, select its properties and go to "Security" tab. Then click on "Advanced" button and review Advanced Security Settings list. In "Permission" column you will see what it is about. WHen you click "Edit" then you will find exact permissions for that action

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586203
Hi,

any progress on that field? :)
Do you need more detailed help/explanation?

Thanks for feedback in advance :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586274
Hi iSiek gonna give it a go in few mins will feedback...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586311
Thanks :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586328
Is the permission "create user objects"?

And create group objects would be to setup a new security group for a directory ACL for example?

How can you check who can create a user object and add them into a powerful group, such as a domain admin, or enterprise admin?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586343
Yes "create user objects" means that that user/group can create new users in a domain or in a specific OU (depends where you are viewing properties).

That's right. Each permissions is listed on advanced ACL separately. So, when someone has permission to create new groups you will see "create group objects".

On the left side of that permission, you will see user name or group. If it's group just navigate in ADUC to that group and check its membership.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586365
Just one final thing.

You mentioned something about delegation wizard.

Will right clicking the OU > props > security > advanced list ALL people who have create user permissions in that OU, or could there be others granted that permission via delegation wizard - if so can I check them as well?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586455
Yes, that place where you can view all settings is advanced properties with whole ACL. There is the only place where you can review granted permissions. Delegation Control Wizard allows only to add new permissions without reviewing them (unfortunately) but it's easier in use for beginners than doing the same thing in advanced properties manually :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586490
Is there anyway to identify for all our 4000 odd user accounts who created each of them?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586547
Actually, no. But if you wish you can always review Audit Logs on your DCs to check new user creation. Almost impossible to achive :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586563
Does

right click OU > props > security > advanced

any entry with full control, does that include ability to "create users" ? Or do they need that permission explicitly?
0
 
LVL 3

Author Comment

by:pma111
ID: 36586610
Say for example in OU you have a file server and share/directory with highly sensitive data.

If user X can create a group, how can you tell if he can add it to the ACL on that directory?

its super complex all teh variables.

I basically want to know who could set user X and somehow grant him access to that ACL and that sensitive data?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586698
Full Controll on an OU means that you can do anything (create/delete users/groups and even delete that OU :) )

Only users/groups with Full Controll can give permissions on a share/folder/file and one special group CREATOR OWNER

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36587185
So aer the really powerful users those who have full control over the domain.

And those who have create user or OU can only grant a user access to resources in that OU and nothng more?

I am still a bit confused in terms of access how this fits in. Say someone has create user permissions and goes rogue and wants to set up a user and give them access to highly sensitive data or high permissions - how can we judge if they go do this?

For example OU has server A with directory B that has highly sensitive data. And malicious admin wants to create user account for malicious user so they can access this sensitive data. How can I go to that level of review and see if this is possible?

Hope that makes sense
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36595100
Yes, full control over domain and full control on file server resources are the most dangerous case. You need to control that.

When you can create users in particular OU, it's only about new users and (if possible in permission) group membership. Creation of user within OU doesn't give rights to assign its user account into resources (the only possible way for that is group membership).

You can always enable Auditing on sensitive data resources. More about auditing at
http://support.microsoft.com/kb/310399

And if you really want to secure sensitive data, you may also sue EFS certificate for those users. Then NTFS permissions in not enough, you also require to have a certificate. Please look into a guide I attached. I wrote there simple case for EFS certificate on File Resource to prevent access for unwated users

 My-own-EFS-cert.pdf

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36598652
Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598662
You're welcome :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36598733
How do you identify full control over a file server? We have over 300 :o(

Thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question