Solved

High risk AD permissions

Posted on 2012-03-22
1
199 Views
Last Modified: 2012-04-02
Can anyone provide their top 5-10 higher risk security permissions for AD objects? I was thinking along the lines of:

1) Users who can reset passwords for accounts other than their own
2) Users who can add members to high security groups such as "domain admins"

etc

Also - what is the exact permission in the security ACL for a domain group that shows which users can ADD new members into this group?
0
Comment
Question by:pma111
1 Comment
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 37755789
Password reset option usually limit the reset to accounts with similar or lower level i.e. a limited user in an OU that has OU password reset option will not be able to reset Administrator account password.
It would depend on the reset delegation.
The user will have write/modify rights in the OU/group security
Making a user member of the account operators.
Group.

The delegation command line tools:
http://technet.microsoft.com/en-us/library/cc756087%28v=ws.10%29.aspx

server operators, etc. several rights if granted to the wrong people could be hazardous to the enterprise.  not sure what you are trying to get to.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now