Jason
Guest
|
 Posted:
Sun Feb 13, 2005 6:46 am Post subject:
Questions on security |
|
|
Hi,
Recently a group of level 2 system support is dekegated the right to manage
User and Computer accounts on AD. The delegated right is very similar or
close to that of the default Account Operator group except that the
delegation is at the OU level and not the domain level.
One day later , we found that something unusual happened on a global group
that all these system support staff are a member of. The strange thing is
that whoever is a member of this group then their user properties page will
have the "Allow inheritable permission from parent ..." check box cleared.
In addition , the Account Operator as well as the domain admin group will be
removed from their security tab.
Even when we manual add back these properties , it will happen again in
roughly 60 minutes interval.
We have checked that no GPO in place have this type of setting and applied
to only this group. Auditing and eventlog log never showed any trace of
object access ( at least not / no user account identified).
We suspect that it could be someone running a script and make it happen like
that. And this only happen to that group which we have delegated user and
computer account managment permission.
Now the question is , is there any way / tools I can check/ monitor to find
out what is causing this ? Is this can of a security breach ?
Any help appreciated !
Jason |
|
Roger Abell
Guest
|
| Posted:
Sun Feb 13, 2005 6:46 am Post subject:
Re: Questions on security |
|
|
It sounds like these accounts are members of a protected group,
and as such are being subjected to system safeguards against the
privileged account being "preemptible" for unauthorized uses.
See: http://support.microsoft.com/?id=817433
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jason" <jasons@hotmail.com> wrote in message
news:eQx3SnXEFHA.3972@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi,
Recently a group of level 2 system support is dekegated the right to
manage
User and Computer accounts on AD. The delegated right is very similar or
close to that of the default Account Operator group except that the
delegation is at the OU level and not the domain level.
One day later , we found that something unusual happened on a global group
that all these system support staff are a member of. The strange thing is
that whoever is a member of this group then their user properties page
will
have the "Allow inheritable permission from parent ..." check box cleared.
In addition , the Account Operator as well as the domain admin group will
be
removed from their security tab.
Even when we manual add back these properties , it will happen again in
roughly 60 minutes interval.
We have checked that no GPO in place have this type of setting and applied
to only this group. Auditing and eventlog log never showed any trace of
object access ( at least not / no user account identified).
We suspect that it could be someone running a script and make it happen
like
that. And this only happen to that group which we have delegated user and
computer account managment permission.
Now the question is , is there any way / tools I can check/ monitor to
find
out what is causing this ? Is this can of a security breach ?
Any help appreciated !
Jason
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in