|
Posted by Joe Richards [MVP] on February 4, 2006, 3:22 pm
Please log in for more thread options
Wow you really did that the hard and insecure way. Just an FYI, the people who
are in that group very likely have enough permissions now to escalate themselves
to domain or enterprise admins.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Dedicated_Dad wrote:
> Figured I'd post the solution in case it may help someone else...
>
> First I added the "assistant" to the "Account Operators" group. This gave
> more rights than necessary, so we needed to 'deny" the extra stuff.
>
> Drilling into the Advanced security properties (make sure you turn on "View
> Advanced Features"!) and clicking "Add", after adding the account (or group)
> in question, change the "Apply Onto" dropdown to "User Objects" and add the
> "Deny" permission for:
>
> Change Password
> Modify Permissions
> Receive As
> Reset Password
> Send As
>
> Write Group Membership
> Write PwdLastSet (80%)
> Write x500uniqueidentifier (99)
> Write userpkcs12 (95)
> Write usercertificate
> write security protocol (90)
> write msdrm-identity certificate
> write attributecertificateattribute
> write attirbutecertificate
> write accountexpires
>
> This allows them to edit the address, phone, organization, etc. without
> allowing password, group, or other "security-related" changes.
>
> Hope this helps someone...
>
> DD
>
| 
XML Sitemap