Solved

Active Directory Group Administrator

Posted on 2012-04-09
4
430 Views
Last Modified: 2012-04-10
This is probably an easy one. Basically, I want to know why something is happening. Specifically, I have 3 containers.

Container A
Container B
Container Special

I have a container admin for Container A, and a container admin for Container B. Neither container admin A or B has rights to any object in Container Special. Also, container admin A cannot add/modify/delete objects in Container B and vice versa.

So, I want to allow both container admin A and container admin B  to add/delete users from only one specific group under Container Special. This seems easy enough and I grant the Container A and B admin groups access to just this one group (pretty much full control to just the one group object, not descendant objects or anything else).

Everything works as expected except for one thing. Container admin A can add users from Container B into this group under Container Special (and Container admin B can add user from Container A).

I can understand how the members attribute for the group object in the special container can be updated by either admin A or B (they have full rights to the group). Where my brain fails today is why/how they are allowed to update the memberof attribute for a user they don't have rights to?

I have a feeling this is just the way it works, but I'm curious as to why. Any light that can be shed on this would be helpful.

Thanks,
TMR
0
Comment
Question by:timmr72
4 Comments
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 37827502
If the container A admin can read the objects in container B, then container A admin can add users from container B to security groups.

For example, take a security group in container A and add users to it from container B.

If you did not want this behavior to happen, you would need to remove the ability for container A admin to read container B. Then you would create a security group in Container A named something like "A Nested Container Special". Then make that group a member of Container Special Security Group.

Then the container A admin could add users to the nest container A special group. But wouldn't need to permission to any other containers.
0
 
LVL 39

Expert Comment

by:als315
ID: 37827533
Admins A and B are modifying only Container Special (if you are adding user to some container, you are doing nothing with this user, you are changing this container). So this is correct behaviour.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 37827538
Great question! Yep, you're exactly right on the "member" attribute part. That is stored in the group object, and since the admins have security permissions granting them control over that property of the group, they can modify it and add/remove members.

memberOf is not actually a real property but is a so-called "backlink" attribute. Adding a member to a group is the forward-link, and this operation is both read-and-write. However, the backlink on the user object is read-only and automatically calculated by Active Directory. Without going into all the technical detail, this is how the admins have the ability to seemingly update the memberOf attribute on those user accounts. They are not writing to it; AD is calculating it internally.

Florian has a good blog on this here: http://www.frickelsoft.net/blog/?p=130

Incidentally, this architecture is also one of the motivating reasons behind the role played by the Infrastructure Master FSMO holder in a multi-domain forest. In order to represent the forward-link when a user is added to a group in a different domain, AD creates phantoms in the foreign domain of the group so that the user object can be referred back to. The infrastructure role has to maintain these phantoms to ensure they do not get out-of-date. My article on FSMO roles goes in to a bit more detail: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_2796-Demystifying-the-Active-Directory-FSMO-Roles.html

Ultimately, the security consideration is on the control of the security group. Security groups grant access to resources, so it seems prudent that the manager of the group has the say in who becomes a member of that group, rather than the manager of the user account object.

-Matt
0
 

Author Closing Comment

by:timmr72
ID: 37828645
Thank  you Matt. This is exactly what I was looking for. Great answer!
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now