• Status: Open
  • Priority: Low
  • Security: Public
  • Views: 53
  • Last Modified:

AD Security

Please tell me why any account in admin groups can change security data while there is only me and "administrator" account in "Allowed" list?
I can log in under user that in "domain admins" group and can set up any rights/permissions for my account.
Nick Jameson
Nick Jameson
Naveen SharmaCommented:
Securing Active Directory Administrative Groups and Accounts:

Group Policy: Administrator Rights for Specific Users on Specific Computers:

Keeping your Active Directory secure when delegating privileges to users:

Hope this helps!
What allowed list? Can you offer a screen shot?
Nick JamesonIT AdminAuthor Commented:
I mean allowed rights. For example: only this users can admin account, but i can log in under another admin account, open user card and insert another user or add rights to existent user without any warnings..
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Shaun VermaakTechnical Specialist/DeveloperCommented:
can log in under another admin account
That is the purpose of an admin account and why you should limit members
You have disabled AD user object inheritance and then removed all but administrator
In that case another user though it is member of domain admins, he should not get any accesss to user account
I just checked quickly in my lab and it is working as expected
I believe the test user you created previously must be part of high privileged AD group such as domain admins and hence its security descriptor must be getting set to default value every hour and thus getting other admins access to it. This is because admincount is set to 1

Try below
Create new AD user
disable its inheritance
remove all but administrator
now logon with another admin account and check if you are able to do any changes, I believe you will not
Sara TeasdaleCommented:
Why is there no feedback on Mahesh's suggestion? It's the only possible explanation.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now