Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

High risk AD permissions

Can anyone provide their top 5-10 higher risk security permissions for AD objects? I was thinking along the lines of:

1) Users who can reset passwords for accounts other than their own
2) Users who can add members to high security groups such as "domain admins"

etc

Also - what is the exact permission in the security ACL for a domain group that shows which users can ADD new members into this group?
0
pma111
Asked:
pma111
1 Solution
 
arnoldCommented:
Password reset option usually limit the reset to accounts with similar or lower level i.e. a limited user in an OU that has OU password reset option will not be able to reset Administrator account password.
It would depend on the reset delegation.
The user will have write/modify rights in the OU/group security
Making a user member of the account operators.
Group.

The delegation command line tools:
http://technet.microsoft.com/en-us/library/cc756087%28v=ws.10%29.aspx

server operators, etc. several rights if granted to the wrong people could be hazardous to the enterprise.  not sure what you are trying to get to.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now