Pau Lo
asked on
Who can create user objects
How can I go about identifying every AD account in our domain that can create or edit new AD objects such as accounts/groups?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
And what about other domains in the forest, how can we tell which users in other domains could technically become an account in our domain - or create an account for our domain?
Yes, it's not so simple without 3rd party tool. You need to check Active Directory Delegation. In ADUC console you need to go to view -> advanced features. Now click right mouse button on your domain and each OU and check properties. On a security tab you will see if there are more that those specified.
Krzysztof
Krzysztof
All those things you will see on a Security tab of a domain or OUs
Maybe some other 3rd party tools would audit that but I don't know any.
Krzysztof
Maybe some other 3rd party tools would audit that but I don't know any.
Krzysztof
ASKER
I couldnt even find a group called account operators ?
Go to Builtin container in ADUC
Krzysztof
Krzysztof
ASKER
Will do - thanks
Can you let me know in laymans terms what the "builtin" container really represents in terms of AD, and AD security?
Can you let me know in laymans terms what the "builtin" container really represents in terms of AD, and AD security?
Normally, each server has local groups and users where they are stored. DCs have no local users and computers, it's moved to AD database within Builtin and users containers. You cannot use GPOs on containers, they are only applied to OUs. That's for security reasons.
Krzysztof
Krzysztof
ASKER
Cool thanks.
Out of interest - aside from users who can create new user objects - are there any other higher risk domain permissions that we should audit? ie if users other than admins had these permissions they could do mischeivious things?
Or is the ability to create new users probably the most dangerous in the domain?
Out of interest - aside from users who can create new user objects - are there any other higher risk domain permissions that we should audit? ie if users other than admins had these permissions they could do mischeivious things?
Or is the ability to create new users probably the most dangerous in the domain?
ASKER
PS - if you had a bookmark of all default permissions and subsequent groups/acls for these kind of domain wide permissions please send a link?
ASKER
and is the permission "create child object" for users who can create a new user?
ASKER
i thought you could only create a user object in a domain?
If i see a permission at a OU level for create user but the same permission is not set at domain level - does that mean they can or cant create a new user?
If i see a permission at a OU level for create user but the same permission is not set at domain level - does that mean they can or cant create a new user?
OK, let's start from the first post I missed :)
ID:36579815 -> the most dangerous thing in AD is giving to much permissions to users (i.e. putting them into Domain Admins/Enterpise Admins/Account Operators groups). It's much more secure to use AD Delegation wizard to give them rights. Please view Mike's blog for that, it's interesting topic at
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html
If you do not give them group membership or delegated control, don't worry, they won't be able to create new users in a domain
ID:36579819 -> sorry, I haven't got. But I would try to install default AD instance in a VM and post screens
ID:36579830 -> that means, user can create objects within this OU and sub OUs
ID:36579839 -> yes, you can create object in a domain, but everything depends on its location :) Granting user permission on a domain allows him to create new users in each OU. When you grant this option for an OU (delegated wizard control) then he is able to create new accounts only in that particular OU
Krzysztof
ID:36579815 -> the most dangerous thing in AD is giving to much permissions to users (i.e. putting them into Domain Admins/Enterpise Admins/Account Operators groups). It's much more secure to use AD Delegation wizard to give them rights. Please view Mike's blog for that, it's interesting topic at
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html
If you do not give them group membership or delegated control, don't worry, they won't be able to create new users in a domain
ID:36579819 -> sorry, I haven't got. But I would try to install default AD instance in a VM and post screens
ID:36579830 -> that means, user can create objects within this OU and sub OUs
ID:36579839 -> yes, you can create object in a domain, but everything depends on its location :) Granting user permission on a domain allows him to create new users in each OU. When you grant this option for an OU (delegated wizard control) then he is able to create new accounts only in that particular OU
Krzysztof
ASKER
Ok thanks - but when I right click our domain > properties > security.
I cant see a permission called "create new user" or similar?
So what is the exact name of the permission that allows folk to create new users?
I cant see a permission called "create new user" or similar?
So what is the exact name of the permission that allows folk to create new users?
For that, you need to dig deeper :)
Choose OU to examine, select its properties and go to "Security" tab. Then click on "Advanced" button and review Advanced Security Settings list. In "Permission" column you will see what it is about. WHen you click "Edit" then you will find exact permissions for that action
Krzysztof
Choose OU to examine, select its properties and go to "Security" tab. Then click on "Advanced" button and review Advanced Security Settings list. In "Permission" column you will see what it is about. WHen you click "Edit" then you will find exact permissions for that action
Krzysztof
Hi,
any progress on that field? :)
Do you need more detailed help/explanation?
Thanks for feedback in advance :)
Krzysztof
any progress on that field? :)
Do you need more detailed help/explanation?
Thanks for feedback in advance :)
Krzysztof
ASKER
Hi iSiek gonna give it a go in few mins will feedback...
Thanks :)
Krzysztof
Krzysztof
ASKER
Is the permission "create user objects"?
And create group objects would be to setup a new security group for a directory ACL for example?
How can you check who can create a user object and add them into a powerful group, such as a domain admin, or enterprise admin?
And create group objects would be to setup a new security group for a directory ACL for example?
How can you check who can create a user object and add them into a powerful group, such as a domain admin, or enterprise admin?
Yes "create user objects" means that that user/group can create new users in a domain or in a specific OU (depends where you are viewing properties).
That's right. Each permissions is listed on advanced ACL separately. So, when someone has permission to create new groups you will see "create group objects".
On the left side of that permission, you will see user name or group. If it's group just navigate in ADUC to that group and check its membership.
Krzysztof
That's right. Each permissions is listed on advanced ACL separately. So, when someone has permission to create new groups you will see "create group objects".
On the left side of that permission, you will see user name or group. If it's group just navigate in ADUC to that group and check its membership.
Krzysztof
ASKER
Just one final thing.
You mentioned something about delegation wizard.
Will right clicking the OU > props > security > advanced list ALL people who have create user permissions in that OU, or could there be others granted that permission via delegation wizard - if so can I check them as well?
You mentioned something about delegation wizard.
Will right clicking the OU > props > security > advanced list ALL people who have create user permissions in that OU, or could there be others granted that permission via delegation wizard - if so can I check them as well?
Yes, that place where you can view all settings is advanced properties with whole ACL. There is the only place where you can review granted permissions. Delegation Control Wizard allows only to add new permissions without reviewing them (unfortunately) but it's easier in use for beginners than doing the same thing in advanced properties manually :)
Krzysztof
Krzysztof
ASKER
Is there anyway to identify for all our 4000 odd user accounts who created each of them?
Actually, no. But if you wish you can always review Audit Logs on your DCs to check new user creation. Almost impossible to achive :)
Krzysztof
Krzysztof
ASKER
Does
right click OU > props > security > advanced
any entry with full control, does that include ability to "create users" ? Or do they need that permission explicitly?
right click OU > props > security > advanced
any entry with full control, does that include ability to "create users" ? Or do they need that permission explicitly?
ASKER
Say for example in OU you have a file server and share/directory with highly sensitive data.
If user X can create a group, how can you tell if he can add it to the ACL on that directory?
its super complex all teh variables.
I basically want to know who could set user X and somehow grant him access to that ACL and that sensitive data?
If user X can create a group, how can you tell if he can add it to the ACL on that directory?
its super complex all teh variables.
I basically want to know who could set user X and somehow grant him access to that ACL and that sensitive data?
Full Controll on an OU means that you can do anything (create/delete users/groups and even delete that OU :) )
Only users/groups with Full Controll can give permissions on a share/folder/file and one special group CREATOR OWNER
Krzysztof
Only users/groups with Full Controll can give permissions on a share/folder/file and one special group CREATOR OWNER
Krzysztof
ASKER
So aer the really powerful users those who have full control over the domain.
And those who have create user or OU can only grant a user access to resources in that OU and nothng more?
I am still a bit confused in terms of access how this fits in. Say someone has create user permissions and goes rogue and wants to set up a user and give them access to highly sensitive data or high permissions - how can we judge if they go do this?
For example OU has server A with directory B that has highly sensitive data. And malicious admin wants to create user account for malicious user so they can access this sensitive data. How can I go to that level of review and see if this is possible?
Hope that makes sense
And those who have create user or OU can only grant a user access to resources in that OU and nothng more?
I am still a bit confused in terms of access how this fits in. Say someone has create user permissions and goes rogue and wants to set up a user and give them access to highly sensitive data or high permissions - how can we judge if they go do this?
For example OU has server A with directory B that has highly sensitive data. And malicious admin wants to create user account for malicious user so they can access this sensitive data. How can I go to that level of review and see if this is possible?
Hope that makes sense
Yes, full control over domain and full control on file server resources are the most dangerous case. You need to control that.
When you can create users in particular OU, it's only about new users and (if possible in permission) group membership. Creation of user within OU doesn't give rights to assign its user account into resources (the only possible way for that is group membership).
You can always enable Auditing on sensitive data resources. More about auditing at
http://support.microsoft.com/kb/310399
And if you really want to secure sensitive data, you may also sue EFS certificate for those users. Then NTFS permissions in not enough, you also require to have a certificate. Please look into a guide I attached. I wrote there simple case for EFS certificate on File Resource to prevent access for unwated users
My-own-EFS-cert.pdf
Krzysztof
When you can create users in particular OU, it's only about new users and (if possible in permission) group membership. Creation of user within OU doesn't give rights to assign its user account into resources (the only possible way for that is group membership).
You can always enable Auditing on sensitive data resources. More about auditing at
http://support.microsoft.com/kb/310399
And if you really want to secure sensitive data, you may also sue EFS certificate for those users. Then NTFS permissions in not enough, you also require to have a certificate. Please look into a guide I attached. I wrote there simple case for EFS certificate on File Resource to prevent access for unwated users
My-own-EFS-cert.pdf
Krzysztof
ASKER
Thanks
You're welcome :)
Krzysztof
Krzysztof
ASKER
How do you identify full control over a file server? We have over 300 :o(
Thanks
Thanks
ASKER
Any idea how to identify any non default groups or users who have been given this permission?
Thanks