Problem with Domain Admin becoming Administrator (builtin)

Discussion in 'Server Security' started by FlarkySmoo, Apr 11, 2006.

  1. FlarkySmoo

    FlarkySmoo Guest

    I'm having a problem with limiting domain admin access to a user that does
    need domain admin access but not anything higher than that. I've tried using
    the delegation control wizard but that still allows this user to elevate his
    own privleges to the built in administrators group which gives complete
    access to even elevate to e-admin or schema admin etc. Is there a way to
    prevent this that I'm over looking?
    Thanks in advance,

    FlarkySmoo, Apr 11, 2006
    1. Advertisements

  2. Unfortunately you're not going to find much luck with that. The forest is
    the security boundary in Active Directory for precisely that reason - if you
    need to absolutely isolate one domain from other domain admins in your
    environment, your best bet is to place that domain in a separate forest.

    Laura E. Hunter [MVP], Apr 11, 2006
    1. Advertisements

  3. FlarkySmoo

    FlarkySmoo Guest

    Thanks for the reminder, I had actually forgot about that. (Must be stress)
    I did find a method that I believe might work but wanted a second opinion.
    I've created a test account, gave this account membership to the remote
    desktop users, account operators group. I can login to the domain controller
    with that account. Further, i have edited the default domain security
    settings on the primary domain controller to allow domain admins and account
    operators to add workstations to domain. I think this will take care of it.
    The user i'm trying to control only needs to be able to be a member of the
    administrators group on any user pc that he loggs into, because he's on the
    helpdesk. Also, he needs to be able to join/disjoin computers from the
    domain. BUT i don't want him to be a domain admin, because that allows him
    to elevate his privleges which he keeps doing so that he can "play" with the
    servers and group policies. I believe now I can remove his account
    membership from the domain admins group and he can still perform his duties.
    What do you think?
    FlarkySmoo, Apr 11, 2006
  4. Delegation is used for when you want a regular domain user to be able to
    manage AD objects that you specify. Such a user would not be able to add
    themselves to any privileged group. There would be no reason to use
    delegation for an account that is already in the domain
    admins/administrators group. --- Steve
    Steven L Umbach, Apr 11, 2006
  5. FlarkySmoo

    FlarkySmoo Guest

    Steve, sorry i may have not made it clear but i removed this user from the
    built in administrators group as well as the domain admins group, and made
    him an account operator. That is when i ran the delegation of control wizzard
    and also edited the domain security settings to allow additional permissions
    for the account operators group so that he can do his help desk duties. I
    think everything is working smooth, and today he has not elevated his
    priveledges. However he did try to hack another users account to get domain
    admin access, but was unsuccessful. Looks like i'm going to have to a
    software restrictions list in GP. Any other suggestions?
    FlarkySmoo, Apr 12, 2006
  6. So it sounds like he indeed can not make himself a domain level
    administrator. When you say he "However he did try to hack another users
    account to get domain admin access, but was unsuccessful" do you mean this
    was as an authorized test of such or malicious activity?? What are you
    looking to do in the way of software restrictions and what operating systems
    are involved? --- Steve
    Steven L Umbach, Apr 12, 2006
  7. FlarkySmoo

    FlarkySmoo Guest

    Steve, no it was not an approved hack. He has used a password grabber before
    on another helpdesk users computer to gain access to elevate his priveledges.
    It's kind of good in a way to have an internal hacker wanabe because this
    helps to identify security holes and vulnerabilities which need tightened up
    and addressed. I'm looking to create a software restriction list with a hash
    value so that various programs like this can't be installed for instance
    Kazaa or cain and abel etc...
    FlarkySmoo, Apr 12, 2006
  8. Interesting. I am surprised that is tolerated without some sort of
    discipline that could lead to termination if continued but I don't know all
    the details and sometimes office politics dictates what you have to do [like
    he is the boss's nephew, etc] but such a user can become dangerous by
    becoming increasingly aggressive at accomplishing his goal in a game of

    Software Restriction Policies along with access control list lockdown,
    making sure user is not an administrator anywhere including for local
    machine accounts, restricting what computers he can logon to [logon locally
    user right or in user account properties in ADUC - allowed to logon to], and
    Group Policy restrictions can go a long way to mitigating such threat with
    the understanding that any computer than is not physically secured can be
    compromised by a skilled and determined attacker. In the case for your
    special user you may want to implement SRP that have default disallowed
    security level [which still allows a user to run .exe files in \windows,
    \windows\system32, and any application in program files folder] and then
    create exceptions for allowed executables with path/hash rules. When
    tweaking SRP keep in mind that shortcuts for desktop, etc. - .lnk files by
    default are restricted by SRP and you need to work around that with either
    explicit exceptions or removing .lnk from list of designated file types.
    Also when tweaking you should see events in the application log when SRP
    restricts a program or executable. If you have not seen the link below it is
    pretty good help on SRP. Note however that none of the above protects
    against a hardware keyboard logger which can easily be installed and be hard
    to detect. Good luck! --- Steve
    --- XP Pro SRP
    Steven L Umbach, Apr 12, 2006
  9. If you give me accop on a domain I can get Enterprise Admin pretty much at my
    convenience. As Laura said, you can't lock this down. You can try all day but
    you can not do it effectively.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], Apr 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.