Windows Server 2000/2003 Thread, Additional groups have admin rights on Domain Controller in Technical; Hi all,
I've just run some Microsoft Baseline Security Analyser (MBSA, Microsoft Baseline Security Analyzer 2.1 Availability Download FAQ Resources ...
22nd September 2009, 01:11 PM #1
Additional groups have admin rights on Domain Controller
I've just run some Microsoft Baseline Security Analyser (MBSA, Microsoft Baseline Security Analyzer 2.1 Availability Download FAQ Resources ) scans of my servers and I've discovered a really worrying permissions issue.
On all 3 of my domain controllers I'm alerted to more than 2 administrators being found:
* BCGS\administrator (that's correct)
The latter 2 are obviously very wrong and incredibly concerning! Both of those are assigned by GPO as restrictive groups but only to the OUs containing workstations, not containing domain controllers!
Obviously I can't remove these administrators via computer management as local users and groups are disable on domain controllers.
I've done a gpresult on one of my DCs (Windows Server 2003):
Applied Group Policy Objects
Default Domain Controllers Policy
Default Domain Policy
The problem groups are not assigned by any of these policies and a quick scan of 2 of my member servers (out of 15) shows the problem groups have no admin rights on member servers.
Any ideas please folks, tearing my hair out here!
Last edited by jonathanhaddock; 22nd September 2009 at 03:27 PM.
22nd September 2009, 04:57 PM #2
- Rep Power
Are these groups that give administrator rights to users on local machines?
Who are the members of the groups?
22nd April 2010, 02:10 PM #3
To reply to this thread, I've now resolved the problems.
As most are probably aware, you cannot edit the local users and groups on a Domain Controller - the local SAM database is disabled at the point AD is installed.
However, it is possible to make additional users/groups administrators of Domain Controllers via Active Directory's Builtin section.
If you open Active Directory Users and Computers and browse to the Builtin container there are a number of groups, including Administrators. This Administrators group relates to domain controllers (as, to my knowledge, do all of these groups). By mistakenly adding users to this Administrators group, users can become administrators of the entire domain (test that, quite terrifying).
To make a separate group, say PCAdmins, administrators of workstations the PCAdmins group should be added via Restricted Groups in GPO.
Hope this info is useful for others at a later date.
Attachment is how MBSA shows the additional administrators, taken from a network I consulted on after the company had discovered problems.
By dhoward_westexetc in forum Windows
Last Post: 7th July 2008, 11:43 AM
By k_Lady in forum Network and Classroom Management
Last Post: 10th April 2008, 12:33 PM
By boomam in forum Windows
Last Post: 12th March 2008, 04:56 PM
By itgeek in forum Windows
Last Post: 22nd February 2008, 10:30 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)