locked
Server 2003 Admin Pack allows Domain User to create Domain Admin account RRS feed

  • Question

  • I have a single domain AD schema running on Windows Server 2003 R2 SP2 Standard/Enterprise servers. I had a domain user (who is my SQL admin) install the Server 2003 Admin Pack today so he could query AD for user names. We discovered that he could make changes to the accounts in AD. We did a little more testing, created a new Domain User account and that account was able to create a new Domain Admin account. As far as I can tell, the Domain User accounts do NOT have any permissions that should allow this type of behavior. I want to make sure we don't have any security holes in the domain, so I would like to hear any feedback as to why this is happening. Thank you for your help.
    Friday, October 29, 2010 9:46 PM

Answers

  • Hello,

    By default the Admin Pack will only let you perform functions which you have the necessary privilege to do. If you have no privilege, then you can only view the AD structure and can't make any changes. So I will start by examining your domain security policies. Look at the Domain Users group and see which other group it is a member of.. See if it is a member of the domain Admins group..Or open the Domain Admins group and see the membership of that group..look into  all the groups that are members of it recursively. 


    Isaac Oben MCITP:EA, MCSE
    Friday, October 29, 2010 10:03 PM
  • Hi,

     

    I agree with the above opinion. Some permissions can be delegated to the group this domain user belongs to or this domain user directly via the Delegation of Control Wizard.

     

    Please ask this domain user to log into domain and run the command: WhoAmI /All to verify the group relationship and permissions.

     

    After that, you need to change the group membership or permissions settings to make sure this domain user cannot create user accounts.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 1, 2010 5:23 AM

All replies

  • Hello,

    By default the Admin Pack will only let you perform functions which you have the necessary privilege to do. If you have no privilege, then you can only view the AD structure and can't make any changes. So I will start by examining your domain security policies. Look at the Domain Users group and see which other group it is a member of.. See if it is a member of the domain Admins group..Or open the Domain Admins group and see the membership of that group..look into  all the groups that are members of it recursively. 


    Isaac Oben MCITP:EA, MCSE
    Friday, October 29, 2010 10:03 PM
  • Hello,

    as Isaac said, this has nothing to do with the adminpak itself. If a user is able to create accounts and add them to the domain admins security groups they have the required permissions to do it. Domain users are only able to view AD structure and can modify some settings of there own user account properties, that's it.

    Control the group membership of the account that was used to create this admin account, including all nested groups.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Saturday, October 30, 2010 12:02 PM
  • Hi,

     

    I agree with the above opinion. Some permissions can be delegated to the group this domain user belongs to or this domain user directly via the Delegation of Control Wizard.

     

    Please ask this domain user to log into domain and run the command: WhoAmI /All to verify the group relationship and permissions.

     

    After that, you need to change the group membership or permissions settings to make sure this domain user cannot create user accounts.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 1, 2010 5:23 AM
  • Thanks for all of the quick replies. Here is where it gets interesting, we are a very small company (40 employees) and we only have 3 GPO being applied; mainly for IE related items like Local Intranet Zones and similar things. The Domain User account that was created to do this testing via the Admin Pack was a new one, which was able to create a Domain Admin account. We have already deleted that Domain User account but I'll recreate it the exact same way and then run the "WhoAmI /All" command recommended by Arthur Li and post my results. It might take me a day or two to follow up as I have my auditors in the office this week. I know great time to discover a security hole like this when my auditors are here, but I would like to know how it happened and fix it. Thank you and I'll report back as soon as possible.
    Monday, November 1, 2010 10:59 PM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 8, 2010 2:06 AM