Solved

Active Directory Group Administrator

Posted on 2012-04-09
4
435 Views
Last Modified: 2012-04-10
This is probably an easy one. Basically, I want to know why something is happening. Specifically, I have 3 containers.

Container A
Container B
Container Special

I have a container admin for Container A, and a container admin for Container B. Neither container admin A or B has rights to any object in Container Special. Also, container admin A cannot add/modify/delete objects in Container B and vice versa.

So, I want to allow both container admin A and container admin B  to add/delete users from only one specific group under Container Special. This seems easy enough and I grant the Container A and B admin groups access to just this one group (pretty much full control to just the one group object, not descendant objects or anything else).

Everything works as expected except for one thing. Container admin A can add users from Container B into this group under Container Special (and Container admin B can add user from Container A).

I can understand how the members attribute for the group object in the special container can be updated by either admin A or B (they have full rights to the group). Where my brain fails today is why/how they are allowed to update the memberof attribute for a user they don't have rights to?

I have a feeling this is just the way it works, but I'm curious as to why. Any light that can be shed on this would be helpful.

Thanks,
TMR
0
Comment
Question by:timmr72
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37827502
If the container A admin can read the objects in container B, then container A admin can add users from container B to security groups.

For example, take a security group in container A and add users to it from container B.

If you did not want this behavior to happen, you would need to remove the ability for container A admin to read container B. Then you would create a security group in Container A named something like "A Nested Container Special". Then make that group a member of Container Special Security Group.

Then the container A admin could add users to the nest container A special group. But wouldn't need to permission to any other containers.
0
 
LVL 40

Expert Comment

by:als315
ID: 37827533
Admins A and B are modifying only Container Special (if you are adding user to some container, you are doing nothing with this user, you are changing this container). So this is correct behaviour.
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 37827538
Great question! Yep, you're exactly right on the "member" attribute part. That is stored in the group object, and since the admins have security permissions granting them control over that property of the group, they can modify it and add/remove members.

memberOf is not actually a real property but is a so-called "backlink" attribute. Adding a member to a group is the forward-link, and this operation is both read-and-write. However, the backlink on the user object is read-only and automatically calculated by Active Directory. Without going into all the technical detail, this is how the admins have the ability to seemingly update the memberOf attribute on those user accounts. They are not writing to it; AD is calculating it internally.

Florian has a good blog on this here: http://www.frickelsoft.net/blog/?p=130

Incidentally, this architecture is also one of the motivating reasons behind the role played by the Infrastructure Master FSMO holder in a multi-domain forest. In order to represent the forward-link when a user is added to a group in a different domain, AD creates phantoms in the foreign domain of the group so that the user object can be referred back to. The infrastructure role has to maintain these phantoms to ensure they do not get out-of-date. My article on FSMO roles goes in to a bit more detail: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_2796-Demystifying-the-Active-Directory-FSMO-Roles.html

Ultimately, the security consideration is on the control of the security group. Security groups grant access to resources, so it seems prudent that the manager of the group has the say in who becomes a member of that group, rather than the manager of the user account object.

-Matt
0
 

Author Closing Comment

by:timmr72
ID: 37828645
Thank  you Matt. This is exactly what I was looking for. Great answer!
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question