Default domain permissions

Archived from groups: microsoft.public.win2000.security (More info?)

Hi all - posted this issue in win2000.active_directory a few days ago,
wonder someone could help me?

The OS is windows2000, single domain in native mode.

When I log onto my machine (which has the admin tools installed) as a normal
user, I can modify/create/delete domain user accounts, and create new GPO's.

Things I have tried:

Checking everyone group and domain user group permissions on the domain and
each OU. Would appear that those groups have reset password and some write
permissions. They are not members of domain admins/admins/enterprise
admins.

I have searched high and low for what the default domain user permissions
should be but cannot locate a document with them on. Could someone post
them here please?

Any help much appreciated.
4 answers Last reply
More about default domain permissions
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I do not believe there is such a document, and if so, then I would
    question if it is up-to-date.

    You say a normal user has those abilities, but you have not mentioned
    the history of the environment, or whether you have considered all
    groups in which the user holds membership.
    The abilities you mentioned are things often delegated, and it sounds
    as if the Users group may have been delegated those abilities.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "ade" <someone@nowhere.com> wrote in message
    news:OxkszDbkFHA.1204@TK2MSFTNGP12.phx.gbl...
    > Hi all - posted this issue in win2000.active_directory a few days ago,
    > wonder someone could help me?
    >
    > The OS is windows2000, single domain in native mode.
    >
    > When I log onto my machine (which has the admin tools installed) as a
    normal
    > user, I can modify/create/delete domain user accounts, and create new
    GPO's.
    >
    > Things I have tried:
    >
    > Checking everyone group and domain user group permissions on the domain
    and
    > each OU. Would appear that those groups have reset password and some
    write
    > permissions. They are not members of domain admins/admins/enterprise
    > admins.
    >
    > I have searched high and low for what the default domain user permissions
    > should be but cannot locate a document with them on. Could someone post
    > them here please?
    >
    > Any help much appreciated.
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    "" wrote:
    > Hi all - posted this issue in win2000.active_directory a few
    > days ago,
    > wonder someone could help me?
    >
    > The OS is windows2000, single domain in native mode.
    >
    > When I log onto my machine (which has the admin tools
    > installed) as a normal
    > user, I can modify/create/delete domain user accounts, and
    > create new GPO's.
    >
    > Things I have tried:
    >
    > Checking everyone group and domain user group permissions on
    > the domain and
    > each OU. Would appear that those groups have reset password
    > and some write
    > permissions. They are not members of domain
    > admins/admins/enterprise
    > admins.
    >
    > I have searched high and low for what the default domain user
    > permissions
    > should be but cannot locate a document with them on. Could
    > someone post
    > them here please?
    >
    > Any help much appreciated.

    to see what the default explicit security is of each object in AD when
    created do the following:
    BE VERY CAREFULLWITH WHAT YOU DO!
    * open a command prompt
    * run schmmgmt.msc
    * Click on the classes node
    * Right click on the class of the object you want to check the default
    permissions for
    * Click on the Default Security TAB (may be called something else
    depending on OS)
    * Et voila the default permissions for the class an object belongs to

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Security-Default-domain-permissions-ftopict401050.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1327197
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Chaps - thanks for the replies.

    I'll check them out at work Monday at post my findings.

    BTW - the user account in question is a member of domain users ONLY.

    "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1327197_41f846cfbf94269c61658198c99e9f18@windowsforumz.com...
    > "" wrote:
    > > Hi all - posted this issue in win2000.active_directory a few
    > > days ago,
    > > wonder someone could help me?
    > >
    > > The OS is windows2000, single domain in native mode.
    > >
    > > When I log onto my machine (which has the admin tools
    > > installed) as a normal
    > > user, I can modify/create/delete domain user accounts, and
    > > create new GPO's.
    > >
    > > Things I have tried:
    > >
    > > Checking everyone group and domain user group permissions on
    > > the domain and
    > > each OU. Would appear that those groups have reset password
    > > and some write
    > > permissions. They are not members of domain
    > > admins/admins/enterprise
    > > admins.
    > >
    > > I have searched high and low for what the default domain user
    > > permissions
    > > should be but cannot locate a document with them on. Could
    > > someone post
    > > them here please?
    > >
    > > Any help much appreciated.
    >
    > to see what the default explicit security is of each object in AD when
    > created do the following:
    > BE VERY CAREFULLWITH WHAT YOU DO!
    > * open a command prompt
    > * run schmmgmt.msc
    > * Click on the classes node
    > * Right click on the class of the object you want to check the default
    > permissions for
    > * Click on the Default Security TAB (may be called something else
    > depending on OS)
    > * Et voila the default permissions for the class an object belongs to
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Security-Default-domain-permissions-ftopict401050.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=1327197
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Found it using the hyena tool somone else has mentioned in a post.

    The everyone group was a member of administrators!

    Removed it and will test later

    "ade" <someone@nowhere.com> wrote in message
    news:uHK6pzRlFHA.572@TK2MSFTNGP15.phx.gbl...
    > Chaps - thanks for the replies.
    >
    > I'll check them out at work Monday at post my findings.
    >
    > BTW - the user account in question is a member of domain users ONLY.
    >
    > "Jorge_de_Almeida_Pinto" <UseLinkToEmail@WindowsForumz.com> wrote in
    message
    > news:3_1327197_41f846cfbf94269c61658198c99e9f18@windowsforumz.com...
    > > "" wrote:
    > > > Hi all - posted this issue in win2000.active_directory a few
    > > > days ago,
    > > > wonder someone could help me?
    > > >
    > > > The OS is windows2000, single domain in native mode.
    > > >
    > > > When I log onto my machine (which has the admin tools
    > > > installed) as a normal
    > > > user, I can modify/create/delete domain user accounts, and
    > > > create new GPO's.
    > > >
    > > > Things I have tried:
    > > >
    > > > Checking everyone group and domain user group permissions on
    > > > the domain and
    > > > each OU. Would appear that those groups have reset password
    > > > and some write
    > > > permissions. They are not members of domain
    > > > admins/admins/enterprise
    > > > admins.
    > > >
    > > > I have searched high and low for what the default domain user
    > > > permissions
    > > > should be but cannot locate a document with them on. Could
    > > > someone post
    > > > them here please?
    > > >
    > > > Any help much appreciated.
    > >
    > > to see what the default explicit security is of each object in AD when
    > > created do the following:
    > > BE VERY CAREFULLWITH WHAT YOU DO!
    > > * open a command prompt
    > > * run schmmgmt.msc
    > > * Click on the classes node
    > > * Right click on the class of the object you want to check the default
    > > permissions for
    > > * Click on the Default Security TAB (may be called something else
    > > depending on OS)
    > > * Et voila the default permissions for the class an object belongs to
    > >
    > > --
    > > Posted using the http://www.windowsforumz.com interface, at author's
    > > request
    > > Articles individually checked for conformance to usenet standards
    > > Topic URL:
    > >
    http://www.windowsforumz.com/Security-Default-domain-permissions-ftopict401050.html
    > > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > > http://www.windowsforumz.com/eform.php?p=1327197
    >
    >
Ask a new question

Read More

Domain Permissions Windows