Questions on security

Toggle sidebar Toggle sidebar
J

Jason

Distinguished
Jul 25, 2003
1,026
0
19,280
Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Hi,
Recently a group of level 2 system support is dekegated the right to manage
User and Computer accounts on AD. The delegated right is very similar or
close to that of the default Account Operator group except that the
delegation is at the OU level and not the domain level.
One day later , we found that something unusual happened on a global group
that all these system support staff are a member of. The strange thing is
that whoever is a member of this group then their user properties page will
have the "Allow inheritable permission from parent ..." check box cleared.
In addition , the Account Operator as well as the domain admin group will be
removed from their security tab.
Even when we manual add back these properties , it will happen again in
roughly 60 minutes interval.
We have checked that no GPO in place have this type of setting and applied
to only this group. Auditing and eventlog log never showed any trace of
object access ( at least not / no user account identified).
We suspect that it could be someone running a script and make it happen like
that. And this only happen to that group which we have delegated user and
computer account managment permission.
Now the question is , is there any way / tools I can check/ monitor to find
out what is causing this ? Is this can of a security breach ?
Any help appreciated !

Jason
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

It sounds like these accounts are members of a protected group,
and as such are being subjected to system safeguards against the
privileged account being "preemptible" for unauthorized uses.
See: http://support.microsoft.com/?id=817433

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jason" <jasons@hotmail.com> wrote in message
news:eQx3SnXEFHA.3972@TK2MSFTNGP15.phx.gbl...
> Hi,
> Recently a group of level 2 system support is dekegated the right to
manage
> User and Computer accounts on AD. The delegated right is very similar or
> close to that of the default Account Operator group except that the
> delegation is at the OU level and not the domain level.
> One day later , we found that something unusual happened on a global group
> that all these system support staff are a member of. The strange thing is
> that whoever is a member of this group then their user properties page
will
> have the "Allow inheritable permission from parent ..." check box cleared.
> In addition , the Account Operator as well as the domain admin group will
be
> removed from their security tab.
> Even when we manual add back these properties , it will happen again in
> roughly 60 minutes interval.
> We have checked that no GPO in place have this type of setting and applied
> to only this group. Auditing and eventlog log never showed any trace of
> object access ( at least not / no user account identified).
> We suspect that it could be someone running a script and make it happen
like
> that. And this only happen to that group which we have delegated user and
> computer account managment permission.
> Now the question is , is there any way / tools I can check/ monitor to
find
> out what is causing this ? Is this can of a security breach ?
> Any help appreciated !
>
> Jason
>
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom