troubleshooting Question

Active Directory Reporting

Avatar of jamiepryer
jamiepryerFlag for United Kingdom of Great Britain and Northern Ireland asked on
Windows Server 2003Active Directory
2 Comments1 Solution373 ViewsLast Modified:
Hi,
I wanted to know if its possible to run some kind of report within AD to find any accounts that can do the following ADMIN tasks. (LDAP query or something?)

I'm not sure how you know or where this authority is even set.
I know you can get this access via access to a group like "domain admins" however is it possible to be given access directly? outside of this group?

This is to close down a security/audit issue.

•         Group Management Tasks
•         Modify group membership (WP on the group object to modify Members attribute)
•         Modify the scope of the group (WP on the group object to modify Group-Type attribute)
•         Delete a group (SD on the group object itself OR DC on parent object (to delete objects of class Group))
•         Create a group (CC on parent object (to create objects of class Group))

•         User Account Management Tasks
•         Create a user account in disabled state (CC on parent object (to create objects of class User))
•         Create a user account (CC on parent object (to create objects of class User), WP on the user object to modify User-Account-Control attribute, Extended Right “Reset Password” required on user account)
•         Delete a user account (SD on the user object itself OR DC on parent object (to delete objects of class User))
•         Disable a user account (WP on the user object to modify User-Account-Control attribute)
•         Unlock a user account (WP on the user object to modify the Lockout-Time attribute)
•         Enable a disabled user account (WP on the user object to modify User-Account-Control attribute)
•         Reset a user account’s password (The User-Change-Password extended right is required on the user object)
•         Specify the computers from which a user can log on (WP on the user object to modify User-Workstations attribute)
•         Set User cannot change password for a user account (WD on the user object)
•         Set Password Never Expires for a user account (WP on the user object to modify User-Account-Control attribute)
•         Disable a user account (WP on the user object to modify User-Account-Control attribute)
•         Specify the date when a user account expires (WP on the user object to modify Account-Expires attribute)
•         Add a user account to a group (WP on the target Group object to modify Member attribute)
•         Remove the user from a group (WP on the target Group object to modify Member attribute)
•         Create a user account in disabled state (CC on parent object (to create objects of class User))
Create a user account (CC on parent object (to create objects of class User), WP on the user object to modify User-Account-Control attribute, Extended Right “Reset Password” required on user account, SD on the user object itself OR DC on parent object (to delete objects of class User))
•         Disable a user account (WP on the user object to modify User-Account-Control attribute)
•         Unlock a user account (WP on the user object to modify the Lockout-Time attribute)
•         Enable a disabled user account (WP on the user object to modify User-Account-Control attribute)
•         Reset a user account’s password (The User-Change-Password extended right is required on the user object)

•         Group Policy Management Tasks

•         Modify Site Group Policy Options (WP on the corresponding site object, cn=<Site>, cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute)
•         Edit a Group Policy object (Requires “Edit Settings” on the GPO)
•         Modify security on a Group Policy object (Requires “Edit Settings, Delete, Modify Security” on the GPO)

•         Computer Management Tasks
•         Rename a computer account (WP on the computer object to modify all attributes)
•         Create a computer account (CC on parent object (to create objects of class Computer))
•         Rename a computer account (WP on the computer object to modify all attributes)
•         Move a computer account (SD on the computer object itself OR DC on parent object (to delete objects of class Computer), CC on target parent (to create objects of class Computer), WP on the computer object to modify Common-Name attribute, WP on the computer object to modify RDN attribute)
•         Disable a computer account (WP on the computer object to modify User-Account-Control attribute )
•         Specify the Pre-Windows 2000 compatible name for a computer (WP on the computer object to modify SAM-Account-Name attribute)
•         Set a computer’s DNS name (Validated-DNS-Host-Name SW on the computer object)
•         Reset a computer account (The Force-User-Change-Password extended right is required on the computer object)
•         Add a computer account to a group (WP on the target group object to modify Member attribute)
•         Specify that a computer account be trusted for delegation (WP on the computer object to modify User-Account-Control attribute, the Enable computer and user accounts to be trusted for delegation user right is required — modified in Default Domain Controller Security Policy)
•         Specify whether a computer account can be trusted for delegation to any service (Kerberos only) (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy))
•         Specify that a computer account be trusted for delegation to specific services only  (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy), WP on the computer object to modify msDS-AllowedToDelegateTo attribute)
•         Specify “Use Kerberos Only” (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy), WP on the computer object to modify msDS-AllowedToDelegateTo attribute)
•         Specify “Use any authentication protocol” (User right “Enable User and Computer account to be trusted for Delegation” required (assigned in default Domain Controller Policy))
•         (WP on the computer object to modify msDS-AllowedToDelegateTo attribute )
•         Add/Remove the services to which a computer account can be present delegated credentials (WP on the computer object to modify msDS-AllowedToDelegateTo attribute )
•         Move a computer account (SD on the computer object itself OR DC on parent object (to delete objects of class Computer), CC on target parent (to create objects of class Computer), WP on the computer object to modify Common-Name attribute, WP on the computer object to modify RDN attribute)
Disable a computer account (WP on the computer object to modify User-Account-Control attribute )
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 2 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros