Solved

Who can create user objects

Posted on 2011-09-22
33
252 Views
Last Modified: 2012-06-27
How can I go about identifying every AD account in our domain that can create or edit new AD objects such as accounts/groups?

Thanks
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 15
33 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 500 total points
ID: 36579525
By default only Enterprise Administrators, Domain Administrators and Account Operators can do that
Just verify those groups membership to get information who can do that. Account operators cannot modify Domain/Enterprise Admins properties/attributes/groups

Regards,
Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579528
When you say "by default" perhaps indicates some others may also be able to do this?

Any idea how to identify any non default groups or users who have been given this permission?

Thanks
0
 
LVL 3

Author Comment

by:pma111
ID: 36579534
And what about other domains in the forest, how can we tell which users in other domains could technically become an account in our domain - or create an account for our domain?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579542
Yes, it's not so simple without 3rd party tool. You need to check Active Directory Delegation. In ADUC console you need to go to view -> advanced features. Now click right mouse button on your domain and each OU and check properties. On a security tab you will see if there are more that those specified.

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579553
All those things you will see on a Security tab of a domain or OUs
Maybe some other 3rd party tools would audit that but I don't know any.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579559
I couldnt even find a group called account operators ?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579566
Go to Builtin container in ADUC

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579588
Will do - thanks

Can you let me know in laymans terms what the "builtin" container really represents in terms of AD, and AD security?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36579604
Normally, each server has local groups and users where they are stored. DCs have no local users and computers, it's moved to AD database within Builtin and users containers. You cannot use GPOs on containers, they are only applied to OUs. That's for security reasons.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36579815
Cool thanks.

Out of interest - aside from users who can create new user objects - are there any other higher risk domain permissions that we should audit? ie if users other than admins had these permissions they could do mischeivious things?

Or is the ability to create new users probably the most dangerous in the domain?
0
 
LVL 3

Author Comment

by:pma111
ID: 36579819
PS - if you had a bookmark of all default permissions and subsequent groups/acls for these kind of domain wide permissions please send a link?
0
 
LVL 3

Author Comment

by:pma111
ID: 36579830
and is the permission "create child object" for users who can create a new user?
0
 
LVL 3

Author Comment

by:pma111
ID: 36579839
i thought you could only create a user object in a domain?

If i see a permission at a OU level for create user but the same permission is not set at domain level - does that mean they can or cant create a new user?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36580132
OK, let's start from the first post I missed :)

ID:36579815 -> the most dangerous thing in AD is giving to much permissions to users (i.e. putting them into Domain Admins/Enterpise Admins/Account Operators groups). It's much more secure to use AD Delegation wizard to give them rights. Please view Mike's blog for that, it's interesting topic at
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

If you do not give them group membership or delegated control, don't worry, they won't be able to create new users in a domain

ID:36579819 -> sorry, I haven't got. But I would try to install default AD instance in a VM and post screens

ID:36579830 -> that means, user can create objects within this OU and sub OUs

ID:36579839 -> yes, you can create object in a domain, but everything depends on its location :) Granting user permission on a domain allows him to create new users in each OU. When you grant this option for an OU (delegated wizard control) then he is able to create new accounts only in that particular OU

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36580156
Ok thanks - but when I right click our domain > properties > security.

I cant see a permission called "create new user" or similar?

So what is the exact name of the permission that allows folk to create new users?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36582869
For that, you need to dig deeper :)
Choose OU to examine, select its properties and go to "Security" tab. Then click on "Advanced" button and review Advanced Security Settings list. In "Permission" column you will see what it is about. WHen you click "Edit" then you will find exact permissions for that action

Krzysztof
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586203
Hi,

any progress on that field? :)
Do you need more detailed help/explanation?

Thanks for feedback in advance :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586274
Hi iSiek gonna give it a go in few mins will feedback...
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586311
Thanks :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586328
Is the permission "create user objects"?

And create group objects would be to setup a new security group for a directory ACL for example?

How can you check who can create a user object and add them into a powerful group, such as a domain admin, or enterprise admin?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586343
Yes "create user objects" means that that user/group can create new users in a domain or in a specific OU (depends where you are viewing properties).

That's right. Each permissions is listed on advanced ACL separately. So, when someone has permission to create new groups you will see "create group objects".

On the left side of that permission, you will see user name or group. If it's group just navigate in ADUC to that group and check its membership.

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586365
Just one final thing.

You mentioned something about delegation wizard.

Will right clicking the OU > props > security > advanced list ALL people who have create user permissions in that OU, or could there be others granted that permission via delegation wizard - if so can I check them as well?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586455
Yes, that place where you can view all settings is advanced properties with whole ACL. There is the only place where you can review granted permissions. Delegation Control Wizard allows only to add new permissions without reviewing them (unfortunately) but it's easier in use for beginners than doing the same thing in advanced properties manually :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586490
Is there anyway to identify for all our 4000 odd user accounts who created each of them?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586547
Actually, no. But if you wish you can always review Audit Logs on your DCs to check new user creation. Almost impossible to achive :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36586563
Does

right click OU > props > security > advanced

any entry with full control, does that include ability to "create users" ? Or do they need that permission explicitly?
0
 
LVL 3

Author Comment

by:pma111
ID: 36586610
Say for example in OU you have a file server and share/directory with highly sensitive data.

If user X can create a group, how can you tell if he can add it to the ACL on that directory?

its super complex all teh variables.

I basically want to know who could set user X and somehow grant him access to that ACL and that sensitive data?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36586698
Full Controll on an OU means that you can do anything (create/delete users/groups and even delete that OU :) )

Only users/groups with Full Controll can give permissions on a share/folder/file and one special group CREATOR OWNER

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36587185
So aer the really powerful users those who have full control over the domain.

And those who have create user or OU can only grant a user access to resources in that OU and nothng more?

I am still a bit confused in terms of access how this fits in. Say someone has create user permissions and goes rogue and wants to set up a user and give them access to highly sensitive data or high permissions - how can we judge if they go do this?

For example OU has server A with directory B that has highly sensitive data. And malicious admin wants to create user account for malicious user so they can access this sensitive data. How can I go to that level of review and see if this is possible?

Hope that makes sense
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36595100
Yes, full control over domain and full control on file server resources are the most dangerous case. You need to control that.

When you can create users in particular OU, it's only about new users and (if possible in permission) group membership. Creation of user within OU doesn't give rights to assign its user account into resources (the only possible way for that is group membership).

You can always enable Auditing on sensitive data resources. More about auditing at
http://support.microsoft.com/kb/310399

And if you really want to secure sensitive data, you may also sue EFS certificate for those users. Then NTFS permissions in not enough, you also require to have a certificate. Please look into a guide I attached. I wrote there simple case for EFS certificate on File Resource to prevent access for unwated users

 My-own-EFS-cert.pdf

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36598652
Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36598662
You're welcome :)

Krzysztof
0
 
LVL 3

Author Comment

by:pma111
ID: 36598733
How do you identify full control over a file server? We have over 300 :o(

Thanks
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question