Solved

Active Directory Group Administrator

Posted on 2012-04-09
4
434 Views
Last Modified: 2012-04-10
This is probably an easy one. Basically, I want to know why something is happening. Specifically, I have 3 containers.

Container A
Container B
Container Special

I have a container admin for Container A, and a container admin for Container B. Neither container admin A or B has rights to any object in Container Special. Also, container admin A cannot add/modify/delete objects in Container B and vice versa.

So, I want to allow both container admin A and container admin B  to add/delete users from only one specific group under Container Special. This seems easy enough and I grant the Container A and B admin groups access to just this one group (pretty much full control to just the one group object, not descendant objects or anything else).

Everything works as expected except for one thing. Container admin A can add users from Container B into this group under Container Special (and Container admin B can add user from Container A).

I can understand how the members attribute for the group object in the special container can be updated by either admin A or B (they have full rights to the group). Where my brain fails today is why/how they are allowed to update the memberof attribute for a user they don't have rights to?

I have a feeling this is just the way it works, but I'm curious as to why. Any light that can be shed on this would be helpful.

Thanks,
TMR
0
Comment
Question by:timmr72
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37827502
If the container A admin can read the objects in container B, then container A admin can add users from container B to security groups.

For example, take a security group in container A and add users to it from container B.

If you did not want this behavior to happen, you would need to remove the ability for container A admin to read container B. Then you would create a security group in Container A named something like "A Nested Container Special". Then make that group a member of Container Special Security Group.

Then the container A admin could add users to the nest container A special group. But wouldn't need to permission to any other containers.
0
 
LVL 40

Expert Comment

by:als315
ID: 37827533
Admins A and B are modifying only Container Special (if you are adding user to some container, you are doing nothing with this user, you are changing this container). So this is correct behaviour.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 37827538
Great question! Yep, you're exactly right on the "member" attribute part. That is stored in the group object, and since the admins have security permissions granting them control over that property of the group, they can modify it and add/remove members.

memberOf is not actually a real property but is a so-called "backlink" attribute. Adding a member to a group is the forward-link, and this operation is both read-and-write. However, the backlink on the user object is read-only and automatically calculated by Active Directory. Without going into all the technical detail, this is how the admins have the ability to seemingly update the memberOf attribute on those user accounts. They are not writing to it; AD is calculating it internally.

Florian has a good blog on this here: http://www.frickelsoft.net/blog/?p=130

Incidentally, this architecture is also one of the motivating reasons behind the role played by the Infrastructure Master FSMO holder in a multi-domain forest. In order to represent the forward-link when a user is added to a group in a different domain, AD creates phantoms in the foreign domain of the group so that the user object can be referred back to. The infrastructure role has to maintain these phantoms to ensure they do not get out-of-date. My article on FSMO roles goes in to a bit more detail: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_2796-Demystifying-the-Active-Directory-FSMO-Roles.html

Ultimately, the security consideration is on the control of the security group. Security groups grant access to resources, so it seems prudent that the manager of the group has the say in who becomes a member of that group, rather than the manager of the user account object.

-Matt
0
 

Author Closing Comment

by:timmr72
ID: 37828645
Thank  you Matt. This is exactly what I was looking for. Great answer!
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question