Sign in with
Sign up | Sign in
Your question

Default domain permissions

Last response: in Windows 2000/NT
Share
July 26, 2005 12:09:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all - posted this issue in win2000.active_directory a few days ago,
wonder someone could help me?

The OS is windows2000, single domain in native mode.

When I log onto my machine (which has the admin tools installed) as a normal
user, I can modify/create/delete domain user accounts, and create new GPO's.

Things I have tried:

Checking everyone group and domain user group permissions on the domain and
each OU. Would appear that those groups have reset password and some write
permissions. They are not members of domain admins/admins/enterprise
admins.

I have searched high and low for what the default domain user permissions
should be but cannot locate a document with them on. Could someone post
them here please?

Any help much appreciated.
Anonymous
July 27, 2005 6:15:30 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I do not believe there is such a document, and if so, then I would
question if it is up-to-date.

You say a normal user has those abilities, but you have not mentioned
the history of the environment, or whether you have considered all
groups in which the user holds membership.
The abilities you mentioned are things often delegated, and it sounds
as if the Users group may have been delegated those abilities.

--
Roger Abell
Microsoft MVP (Windows Security)

"ade" <someone@nowhere.com> wrote in message
news:o xkszDbkFHA.1204@TK2MSFTNGP12.phx.gbl...
> Hi all - posted this issue in win2000.active_directory a few days ago,
> wonder someone could help me?
>
> The OS is windows2000, single domain in native mode.
>
> When I log onto my machine (which has the admin tools installed) as a
normal
> user, I can modify/create/delete domain user accounts, and create new
GPO's.
>
> Things I have tried:
>
> Checking everyone group and domain user group permissions on the domain
and
> each OU. Would appear that those groups have reset password and some
write
> permissions. They are not members of domain admins/admins/enterprise
> admins.
>
> I have searched high and low for what the default domain user permissions
> should be but cannot locate a document with them on. Could someone post
> them here please?
>
> Any help much appreciated.
>
>
Anonymous
July 27, 2005 5:36:15 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"" wrote:
> Hi all - posted this issue in win2000.active_directory a few
> days ago,
> wonder someone could help me?
>
> The OS is windows2000, single domain in native mode.
>
> When I log onto my machine (which has the admin tools
> installed) as a normal
> user, I can modify/create/delete domain user accounts, and
> create new GPO's.
>
> Things I have tried:
>
> Checking everyone group and domain user group permissions on
> the domain and
> each OU. Would appear that those groups have reset password
> and some write
> permissions. They are not members of domain
> admins/admins/enterprise
> admins.
>
> I have searched high and low for what the default domain user
> permissions
> should be but cannot locate a document with them on. Could
> someone post
> them here please?
>
> Any help much appreciated.

to see what the default explicit security is of each object in AD when
created do the following:
BE VERY CAREFULLWITH WHAT YOU DO!
* open a command prompt
* run schmmgmt.msc
* Click on the classes node
* Right click on the class of the object you want to check the default
permissions for
* Click on the Default Security TAB (may be called something else
depending on OS)
* Et voila the default permissions for the class an object belongs to

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Default-domain-pe...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1327197
Related resources
July 30, 2005 8:40:08 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Chaps - thanks for the replies.

I'll check them out at work Monday at post my findings.

BTW - the user account in question is a member of domain users ONLY.

"Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
news:3_1327197_41f846cfbf94269c61658198c99e9f18@windowsforumz.com...
> "" wrote:
> > Hi all - posted this issue in win2000.active_directory a few
> > days ago,
> > wonder someone could help me?
> >
> > The OS is windows2000, single domain in native mode.
> >
> > When I log onto my machine (which has the admin tools
> > installed) as a normal
> > user, I can modify/create/delete domain user accounts, and
> > create new GPO's.
> >
> > Things I have tried:
> >
> > Checking everyone group and domain user group permissions on
> > the domain and
> > each OU. Would appear that those groups have reset password
> > and some write
> > permissions. They are not members of domain
> > admins/admins/enterprise
> > admins.
> >
> > I have searched high and low for what the default domain user
> > permissions
> > should be but cannot locate a document with them on. Could
> > someone post
> > them here please?
> >
> > Any help much appreciated.
>
> to see what the default explicit security is of each object in AD when
> created do the following:
> BE VERY CAREFULLWITH WHAT YOU DO!
> * open a command prompt
> * run schmmgmt.msc
> * Click on the classes node
> * Right click on the class of the object you want to check the default
> permissions for
> * Click on the Default Security TAB (may be called something else
> depending on OS)
> * Et voila the default permissions for the class an object belongs to
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's
> request
> Articles individually checked for conformance to usenet standards
> Topic URL:
> http://www.windowsforumz.com/Security-Default-domain-pe...
> Visit Topic URL to contact author (reg. req'd). Report abuse:
> http://www.windowsforumz.com/eform.php?p=1327197
August 2, 2005 2:02:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Found it using the hyena tool somone else has mentioned in a post.

The everyone group was a member of administrators!

Removed it and will test later

"ade" <someone@nowhere.com> wrote in message
news:uHK6pzRlFHA.572@TK2MSFTNGP15.phx.gbl...
> Chaps - thanks for the replies.
>
> I'll check them out at work Monday at post my findings.
>
> BTW - the user account in question is a member of domain users ONLY.
>
> "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in
message
> news:3_1327197_41f846cfbf94269c61658198c99e9f18@windowsforumz.com...
> > "" wrote:
> > > Hi all - posted this issue in win2000.active_directory a few
> > > days ago,
> > > wonder someone could help me?
> > >
> > > The OS is windows2000, single domain in native mode.
> > >
> > > When I log onto my machine (which has the admin tools
> > > installed) as a normal
> > > user, I can modify/create/delete domain user accounts, and
> > > create new GPO's.
> > >
> > > Things I have tried:
> > >
> > > Checking everyone group and domain user group permissions on
> > > the domain and
> > > each OU. Would appear that those groups have reset password
> > > and some write
> > > permissions. They are not members of domain
> > > admins/admins/enterprise
> > > admins.
> > >
> > > I have searched high and low for what the default domain user
> > > permissions
> > > should be but cannot locate a document with them on. Could
> > > someone post
> > > them here please?
> > >
> > > Any help much appreciated.
> >
> > to see what the default explicit security is of each object in AD when
> > created do the following:
> > BE VERY CAREFULLWITH WHAT YOU DO!
> > * open a command prompt
> > * run schmmgmt.msc
> > * Click on the classes node
> > * Right click on the class of the object you want to check the default
> > permissions for
> > * Click on the Default Security TAB (may be called something else
> > depending on OS)
> > * Et voila the default permissions for the class an object belongs to
> >
> > --
> > Posted using the http://www.windowsforumz.com interface, at author's
> > request
> > Articles individually checked for conformance to usenet standards
> > Topic URL:
> >
http://www.windowsforumz.com/Security-Default-domain-pe...
> > Visit Topic URL to contact author (reg. req'd). Report abuse:
> > http://www.windowsforumz.com/eform.php?p=1327197
>
>
!