Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

High risk AD permissions

Posted on 2012-03-22
1
Medium Priority
?
207 Views
Last Modified: 2012-04-02
Can anyone provide their top 5-10 higher risk security permissions for AD objects? I was thinking along the lines of:

1) Users who can reset passwords for accounts other than their own
2) Users who can add members to high security groups such as "domain admins"

etc

Also - what is the exact permission in the security ACL for a domain group that shows which users can ADD new members into this group?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 37755789
Password reset option usually limit the reset to accounts with similar or lower level i.e. a limited user in an OU that has OU password reset option will not be able to reset Administrator account password.
It would depend on the reset delegation.
The user will have write/modify rights in the OU/group security
Making a user member of the account operators.
Group.

The delegation command line tools:
http://technet.microsoft.com/en-us/library/cc756087%28v=ws.10%29.aspx

server operators, etc. several rights if granted to the wrong people could be hazardous to the enterprise.  not sure what you are trying to get to.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question