Security question

Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Hi,
Recently a group of system support personnel is delegated the right to
manage
User and Computer accounts on AD. The delegated right is very similar or
close to that of the default Account Operator group except that the
delegation is at the OU level and not the domain level.
One day later , we found that something unusual happened on a global group
that all these system support staff are a member of. The strange thing is
that whoever is a member of this group then their user properties page will
have the "Allow inheritable permission from parent ..." check box cleared.
In addition , the Account Operator as well as the domain admin group will be
removed from their security tab.
Even when we manual add back these properties , it will happen again in
roughly 60 minutes interval.
We have checked that no GPO in place have this type of setting and applied
to only this group. Auditing and eventlog log never showed any trace of
object access ( at least not / no user account identified).
We suspect that it could be someone running a script and make it happen like
that. And this only happen to that group which we have delegated user and
computer account managment permission.
Now the question is , is there any way / tools I can check/ monitor to find
out what is causing this ? Is this can of a security breach ?
Any help appreciated !

George
3 answers Last reply
More about security question
  1. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    When you delegate permissions to manage user accounts, members of privileged
    groups such as domain admins, server operators, and account operators will
    not be included. In other words a regular user can never be able to manage
    the account of a domain admin. That is why the inheritance box is cleared
    and if you enable it the operating system checks for this and removes it
    every sixty minutes as you describe. Also it seems that when you delegate
    permission to mange user accounts, peer accounts will be excluded so that
    the users in the group that were delegate the permission can not manage each
    others accounts. There are recent posts in this newsgroup [or the
    server.security newsgroup] about this subject where another poster did some
    extensive testing on this very subject where he discovered this "peer user"
    effect. So what you are experiencing is normal and only admins can manage
    admin accounts and will probably have to manage the accounts of the group
    you delegate permissions to manage other user accounts unless you work
    around the peer effect with other user delegation to their accounts such as
    adding their accounts to an OU and then delegating that permission for that
    OU to a user not in that group.. --- Steve


    "George" <GeorgeN@hotmail.com> wrote in message
    news:eJecWrXEFHA.3492@TK2MSFTNGP12.phx.gbl...
    > Hi,
    > Recently a group of system support personnel is delegated the right to
    > manage
    > User and Computer accounts on AD. The delegated right is very similar or
    > close to that of the default Account Operator group except that the
    > delegation is at the OU level and not the domain level.
    > One day later , we found that something unusual happened on a global group
    > that all these system support staff are a member of. The strange thing is
    > that whoever is a member of this group then their user properties page
    > will
    > have the "Allow inheritable permission from parent ..." check box cleared.
    > In addition , the Account Operator as well as the domain admin group will
    > be
    > removed from their security tab.
    > Even when we manual add back these properties , it will happen again in
    > roughly 60 minutes interval.
    > We have checked that no GPO in place have this type of setting and applied
    > to only this group. Auditing and eventlog log never showed any trace of
    > object access ( at least not / no user account identified).
    > We suspect that it could be someone running a script and make it happen
    > like
    > that. And this only happen to that group which we have delegated user and
    > computer account managment permission.
    > Now the question is , is there any way / tools I can check/ monitor to
    > find
    > out what is causing this ? Is this can of a security breach ?
    > Any help appreciated !
    >
    > George
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    See
    http://support.microsoft.com/?id=817433

    and let us know if this helps. Thanks!


    "George" wrote:

    > Hi,
    > Recently a group of system support personnel is delegated the right to
    > manage
    > User and Computer accounts on AD. The delegated right is very similar or
    > close to that of the default Account Operator group except that the
    > delegation is at the OU level and not the domain level.
    > One day later , we found that something unusual happened on a global group
    > that all these system support staff are a member of. The strange thing is
    > that whoever is a member of this group then their user properties page will
    > have the "Allow inheritable permission from parent ..." check box cleared.
    > In addition , the Account Operator as well as the domain admin group will be
    > removed from their security tab.
    > Even when we manual add back these properties , it will happen again in
    > roughly 60 minutes interval.
    > We have checked that no GPO in place have this type of setting and applied
    > to only this group. Auditing and eventlog log never showed any trace of
    > object access ( at least not / no user account identified).
    > We suspect that it could be someone running a script and make it happen like
    > that. And this only happen to that group which we have delegated user and
    > computer account managment permission.
    > Now the question is , is there any way / tools I can check/ monitor to find
    > out what is causing this ? Is this can of a security breach ?
    > Any help appreciated !
    >
    > George
    >
  3. Archived from groups: microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

    Gentlemen, thanks both your input - really helps. Appreciated.

    George

    "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
    news:FD859775-1285-4A78-A000-E01D676FE1AF@microsoft.com...
    > See
    > http://support.microsoft.com/?id=817433
    >
    > and let us know if this helps. Thanks!
    >
    >
    > "George" wrote:
    >
    >> Hi,
    >> Recently a group of system support personnel is delegated the right to
    >> manage
    >> User and Computer accounts on AD. The delegated right is very similar or
    >> close to that of the default Account Operator group except that the
    >> delegation is at the OU level and not the domain level.
    >> One day later , we found that something unusual happened on a global
    >> group
    >> that all these system support staff are a member of. The strange thing is
    >> that whoever is a member of this group then their user properties page
    >> will
    >> have the "Allow inheritable permission from parent ..." check box
    >> cleared.
    >> In addition , the Account Operator as well as the domain admin group will
    >> be
    >> removed from their security tab.
    >> Even when we manual add back these properties , it will happen again in
    >> roughly 60 minutes interval.
    >> We have checked that no GPO in place have this type of setting and
    >> applied
    >> to only this group. Auditing and eventlog log never showed any trace of
    >> object access ( at least not / no user account identified).
    >> We suspect that it could be someone running a script and make it happen
    >> like
    >> that. And this only happen to that group which we have delegated user and
    >> computer account managment permission.
    >> Now the question is , is there any way / tools I can check/ monitor to
    >> find
    >> out what is causing this ? Is this can of a security breach ?
    >> Any help appreciated !
    >>
    >> George
    >>
    >
Ask a new question

Read More

Security Windows Server Microsoft Windows