AD Security

Please tell me why any account in admin groups can change security data while there is only me and "administrator" account in "Allowed" list?
I can log in under user that in "domain admins" group and can set up any rights/permissions for my account.
Nick JamesonIT AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Naveen SharmaCommented:
Securing Active Directory Administrative Groups and Accounts:

Group Policy: Administrator Rights for Specific Users on Specific Computers:

Keeping your Active Directory secure when delegating privileges to users:

Hope this helps!
What allowed list? Can you offer a screen shot?
Nick JamesonIT AdminAuthor Commented:
I mean allowed rights. For example: only this users can admin account, but i can log in under another admin account, open user card and insert another user or add rights to existent user without any warnings..
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Shaun VermaakTechnical SpecialistCommented:
can log in under another admin account
That is the purpose of an admin account and why you should limit members
You have disabled AD user object inheritance and then removed all but administrator
In that case another user though it is member of domain admins, he should not get any accesss to user account
I just checked quickly in my lab and it is working as expected
I believe the test user you created previously must be part of high privileged AD group such as domain admins and hence its security descriptor must be getting set to default value every hour and thus getting other admins access to it. This is because admincount is set to 1

Try below
Create new AD user
disable its inheritance
remove all but administrator
now logon with another admin account and check if you are able to do any changes, I believe you will not
Sara TeasdaleCommented:
Why is there no feedback on Mahesh's suggestion? It's the only possible explanation.
I think I got the issue

Though you have removed all admin account except one from ACL, account owner is by default "domain admins"
As a fact other admin account can make changes to acl as it is also part of domain admins group
If you want to check, you can remove "domain admins" from ownership and add any other account (say x) there
now if other admin user logged on (say y) , he would not be able to make security permission changes unless he take account ownership
This is same like standard NTFS ACL rule

I don't want to object the question however if you could keep this question open and try above you will get the answer
Sara, the author did not answer his own question, that is why I object.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.