Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 572
  • Last Modified:

Active Directory Delegation Issue

Hi,
 
I am facing a strange issue with delegation of rights. We have a requirement to delegate the permission to a user account on OU to create computer accounts. Same has been provided but the issue is that if the user is creating a computer account then he is able to delete that as well. But he is not able to delete the other computer accounts which are there in that OU. When I check the Effective Permssion of that user on the computer account which he is creating we can see that he is having Deletion rights. I have thoroughly checked the permission on parent OU's but there is no right for that user.
 
I have done the testing with different user accounts on different OU's but the result is same. I have tried to give the delegation for creating user account but in that case the user accounts are not getting deleted with delegated account.
 
The issue is happening with only computer accounts. I have also checked the group membership of the user to make sure he is not getting access due to some group membership. Also there is no creator owner access on the OU.
 
When I check the owner of the account which is created by delegated ID I found that he is the owner.
0
Neo_78
Asked:
Neo_78
  • 4
  • 3
1 Solution
 
achaldaveCommented:
By default owner of the object can modify/delete object in 2003 AD, try this create a group add delegated users to that group, add set deny delete permission on OUs and their child objects for that group.

For 2008 AD, owner rights can be used to protect such objects
http://jorgequestforknowledge.wordpress.com/category/active-directory-domain-services-adds/delegation-of-control/
0
 
Neo_78Author Commented:
Hi,

I do accept that the owner is having access to modify/delete object but the same thing is not happening for users. When the user id is created the owner is the delegated ID but he is not able to delete. It is happening with computer account only.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
I did find some more information ...... guess this will answer your query.

http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/68e3c67c-e79a-47c3-8090-0304fa71f5f2

http://www.pcreview.co.uk/forums/move-computers-between-ous-do-t1458382.html
"Delete computer objects" on the source OU
"Create computer objects" and "Full control to computer objects" on the
target OU.

- Rancy
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Neo_78Author Commented:
Hi Rancy,

The solution in the link didnt helped me.
 
The issue still persists. I was going through the below link about the owner rights which is the feature of Windows 2008. This will help us to manage the owner rights on the objects by default owner has delete rights.
 
As I have mixed Domain Controllers of Windows 2003, 2008 and 2008R2 this will not help me. In Windows 2003 is there a way to Control the access of creator owner on the objects.
 
Also in "Add computers to domain" access right we does not have any ID or group added.
 
http://technet.microsoft.com/fr-fr/library/dd125370(v=ws.10).aspx
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
On the OU where you have the Computer objects does the user has the "Delete computer objects" rights ? If so what if you remove that rights for that user and let the replication happen and try with a test object in that OU ?

- Rancy
0
 
Neo_78Author Commented:
Hi,
 
The issue is finally resolved so thought of sharing the information with you if you might need. I was going through some articles on net about how the ACL's are calculated and I came across a LINK which says that the DACL is calculated from Schema class also. I have checked the computer object class ACL and found that Creator Owner is having Delete permissions. I have unchecked only the Deletion ACE and after that the issue is resolved. The user is now only able to create the computer account but not delete.
 
Thanks all for the help.
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Can you please share the article :)

I guess not me or anyone would ever recommend playing with Schema attributes.

- Rancy
0
 
Neo_78Author Commented:
None of the other solutions helped. I have got the solutions and wanted to share with all so that if anyone face this issue they can get help
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now