Solved

Active Directory Group Administrator

Posted on 2012-04-09
4
431 Views
Last Modified: 2012-04-10
This is probably an easy one. Basically, I want to know why something is happening. Specifically, I have 3 containers.

Container A
Container B
Container Special

I have a container admin for Container A, and a container admin for Container B. Neither container admin A or B has rights to any object in Container Special. Also, container admin A cannot add/modify/delete objects in Container B and vice versa.

So, I want to allow both container admin A and container admin B  to add/delete users from only one specific group under Container Special. This seems easy enough and I grant the Container A and B admin groups access to just this one group (pretty much full control to just the one group object, not descendant objects or anything else).

Everything works as expected except for one thing. Container admin A can add users from Container B into this group under Container Special (and Container admin B can add user from Container A).

I can understand how the members attribute for the group object in the special container can be updated by either admin A or B (they have full rights to the group). Where my brain fails today is why/how they are allowed to update the memberof attribute for a user they don't have rights to?

I have a feeling this is just the way it works, but I'm curious as to why. Any light that can be shed on this would be helpful.

Thanks,
TMR
0
Comment
Question by:timmr72
4 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37827502
If the container A admin can read the objects in container B, then container A admin can add users from container B to security groups.

For example, take a security group in container A and add users to it from container B.

If you did not want this behavior to happen, you would need to remove the ability for container A admin to read container B. Then you would create a security group in Container A named something like "A Nested Container Special". Then make that group a member of Container Special Security Group.

Then the container A admin could add users to the nest container A special group. But wouldn't need to permission to any other containers.
0
 
LVL 39

Expert Comment

by:als315
ID: 37827533
Admins A and B are modifying only Container Special (if you are adding user to some container, you are doing nothing with this user, you are changing this container). So this is correct behaviour.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 37827538
Great question! Yep, you're exactly right on the "member" attribute part. That is stored in the group object, and since the admins have security permissions granting them control over that property of the group, they can modify it and add/remove members.

memberOf is not actually a real property but is a so-called "backlink" attribute. Adding a member to a group is the forward-link, and this operation is both read-and-write. However, the backlink on the user object is read-only and automatically calculated by Active Directory. Without going into all the technical detail, this is how the admins have the ability to seemingly update the memberOf attribute on those user accounts. They are not writing to it; AD is calculating it internally.

Florian has a good blog on this here: http://www.frickelsoft.net/blog/?p=130

Incidentally, this architecture is also one of the motivating reasons behind the role played by the Infrastructure Master FSMO holder in a multi-domain forest. In order to represent the forward-link when a user is added to a group in a different domain, AD creates phantoms in the foreign domain of the group so that the user object can be referred back to. The infrastructure role has to maintain these phantoms to ensure they do not get out-of-date. My article on FSMO roles goes in to a bit more detail: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_2796-Demystifying-the-Active-Directory-FSMO-Roles.html

Ultimately, the security consideration is on the control of the security group. Security groups grant access to resources, so it seems prudent that the manager of the group has the say in who becomes a member of that group, rather than the manager of the user account object.

-Matt
0
 

Author Closing Comment

by:timmr72
ID: 37828645
Thank  you Matt. This is exactly what I was looking for. Great answer!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now