Deny account operators from deleting users

Toggle sidebar Toggle sidebar
L

LordChaos

Distinguished
May 10, 2005
22
0
18,510
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all,
I have a problem regarding denying account operators deleting users in a
windows 2003 active directory domain. I thought it would be quite straight
forward but it actually wasn't. I added and ACE to one OU by setting
'Delete', 'Delete Sub-tree' and 'Delete All Child Objects' (which will set
all other granular delete flags) set to deny for members of account
operators group and apply it on this object and all child objects. I assumed
that, these setting (deny ACEs) will be reduced from rights any member of
account operators group will be granted by group membership but account
operators can still delete users! As I investigate more I find out that
effective permission on the OU is correct, account operators can not delete
anything. But effective permission on users objects directly beneath that OU
shows that account operators have full permission and deny ACE was
overridden somehow. by the way audit log showed that the account operator
has deleted the user successfully.
does any one know what is it all about??


Thanks in advance
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yep. What it is all about is why you shouldn't use account ops.

Account ops is a legacy group from NT that had the ability to muck with all
computer, group, and user accounts. As such the default security descriptors on
those objects in the schema have permissions granted to account operators.

This means when you instantiate any of those objects, they will have explicit
full control permissions granted to account ops.

As you are probably aware, the permissions model is one of deny overrides grant,
explicit overrides inherited. That means your inherited deny is being overridden
by the explicit grant.

The proper way to do this is to build your own groups that you delegate
permissions to. Then you grant what you want and don't have to deny anything.
Denies tend to be messy and difficult to figure out later anyway.


joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


lordchaos wrote:
> Hi all,
> I have a problem regarding denying account operators deleting users in a
> windows 2003 active directory domain. I thought it would be quite straight
> forward but it actually wasn't. I added and ACE to one OU by setting
> 'Delete', 'Delete Sub-tree' and 'Delete All Child Objects' (which will set
> all other granular delete flags) set to deny for members of account
> operators group and apply it on this object and all child objects. I assumed
> that, these setting (deny ACEs) will be reduced from rights any member of
> account operators group will be granted by group membership but account
> operators can still delete users! As I investigate more I find out that
> effective permission on the OU is correct, account operators can not delete
> anything. But effective permission on users objects directly beneath that OU
> shows that account operators have full permission and deny ACE was
> overridden somehow. by the way audit log showed that the account operator
> has deleted the user successfully.
> does any one know what is it all about??
>
>
> Thanks in advance
>
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom