Solved

High risk AD permissions

Posted on 2012-03-22
1
204 Views
Last Modified: 2012-04-02
Can anyone provide their top 5-10 higher risk security permissions for AD objects? I was thinking along the lines of:

1) Users who can reset passwords for accounts other than their own
2) Users who can add members to high security groups such as "domain admins"

etc

Also - what is the exact permission in the security ACL for a domain group that shows which users can ADD new members into this group?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 37755789
Password reset option usually limit the reset to accounts with similar or lower level i.e. a limited user in an OU that has OU password reset option will not be able to reset Administrator account password.
It would depend on the reset delegation.
The user will have write/modify rights in the OU/group security
Making a user member of the account operators.
Group.

The delegation command line tools:
http://technet.microsoft.com/en-us/library/cc756087%28v=ws.10%29.aspx

server operators, etc. several rights if granted to the wrong people could be hazardous to the enterprise.  not sure what you are trying to get to.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question