data securtiy - full control permission in ADUC properties

In AD users and computers - what risks do users having full control over the device pose?

Does that mean they can access all data on that device, or for that do we still refer to share/directory acl's and can ignore the permission shown if we right click the computers properties > security tab?
LVL 3
pma111Asked:
Who is Participating?
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
Nope. This means that they can do everything with that object in ADUC (move, delete, reset it's password, for groups add/remove members) but there is no physical access to the device, at all! :) The only exception is for users who are Domain Admins/Enterprise Admins members :) they have also full access to devices

Regards,
Krzysztof
0
 
pma111Author Commented:
So technically if they have "full control" set via the properties in security in ADUC - they can access anything on that server, including all/any data?
0
 
pma111Author Commented:
Surely MBSA should include that as a check in its product - users with full control over a device.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
pma111Author Commented:
And can they only reset the password if they know the current password?
0
 
pma111Author Commented:
And how do you mean:

"but there is no physical access to the device, at all! :) "

?? Can you clarify?

Thanks iSiek
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
So :)

Full Control means that object in an OU can be moved to another OU, deleted from the domain but user with that permission cannot log on to the device with full control. By default regular users can log on to any PC (if you didn't restrict that) and have access to any folder where users or everyone or DOmain Users have granted at least read&execute permissions

When you delegate users ability to reset and unlock account,they don't need to know it. They can change it via ADUC console and unlock account or disable/enable

Full Control to an object is not equal to Full Rights on a device (server/computer).

Krzysztof
0
 
Mike KlineCommented:
Are you talking about just giving a normal user access to ADUC?

Thanks

Mike
0
 
pma111Author Commented:
Mike - no, I just wondered when you right click a server/computer in ADUC and go to securtity tab of its properties - what exactly these permissions are and if some where granted to everyone group or another group - what risk they pose
0
 
pma111Author Commented:
>>Full Control to an object is not equal to Full Rights on a device (server/computer).


But then if they could rechange the admin password have they not just given themselves full rights tot he device?

0
 
Mike KlineCommented:
Ok then Krzysztof gave a good answer about move/delete/

Thanks

Mike
0
 
pma111Author Commented:
In terms of security though and security of the data on that device - are we saying reviewing the permissions listed in ADUC on the security tab of its property arent really included in security audits on member servers?
0
 
Mike KlineConnect With a Mentor Commented:
Correct you would have to look/dump the ACLs in AD to see who has rights there.  It is one of the places I think AD can still improve.  (rights/role reporting).  

Thanks

Mike
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

Krzysztof
0
 
pma111Author Commented:
So by an auditor not worrying about permissions set in the security tab of the objects (in this case a server) properties - they wont be missing any major security flaw that could lead to unauthorised access to that device?

Thanks
0
 
pma111Author Commented:
>>Normally they shouldn't be able to reste Domain Admins/Enterprise Admins password. They should be able to restart only regular users password

What about a local admin password on a member server?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Yes, they couldn't be able to do anything with these rights on a device.

Krzysztof
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Don't worry about local administrator password. It cannot be set/reset over ADUC. From that console you can only manage/modify domain user accounts.

Local administrator password is store in local SAM database on particular PC/Server. To be able to disable/enable or reset local admin password, you need to have local admin rights also (the only way is an administrators group membership on that machine).

The other option is to use 3rd party booting CDs with "hacking" soft. To prevent users from running them, set up BIOS password and remove CD/USB media from allowed booting options. Disable also running boot menu.

After that you may be sure that you secured local workstations.

Krzysztof
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, can we do something more for you? Or maybe you have additional questions to us? :)

Krzysztof
0
 
pma111Author Commented:
No think thats all...

I will exclude such "permissions" from any audit scopes as the risk doesnt seem to be there
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Great! Glad we could help you :)

Krzysztof
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.