+ Post New Thread
Results 1 to 3 of 3
Windows Server 2000/2003 Thread, Additional groups have admin rights on Domain Controller in Technical; Hi all, I've just run some Microsoft Baseline Security Analyser (MBSA, Microsoft Baseline Security Analyzer 2.1 Availability Download FAQ Resources ...
  1. #1
    jonathanhaddock's Avatar
    Join Date
    Dec 2007
    Location
    Barton Court Grammar, Canterbury
    Posts
    58
    Thank Post
    0
    Thanked 6 Times in 4 Posts
    Rep Power
    15

    Exclamation Additional groups have admin rights on Domain Controller

    Hi all,

    I've just run some Microsoft Baseline Security Analyser (MBSA, Microsoft Baseline Security Analyzer 2.1 Availability Download FAQ Resources ) scans of my servers and I've discovered a really worrying permissions issue.

    On all 3 of my domain controllers I'm alerted to more than 2 administrators being found:
    * BCGS\administrator (that's correct)
    * BCGS\PCAdmins
    * BCGS\staff

    The latter 2 are obviously very wrong and incredibly concerning! Both of those are assigned by GPO as restrictive groups but only to the OUs containing workstations, not containing domain controllers!

    Obviously I can't remove these administrators via computer management as local users and groups are disable on domain controllers.

    I've done a gpresult on one of my DCs (Windows Server 2003):

    Applied Group Policy Objects
    -----------------------------
    Default Domain Controllers Policy
    M-WSUS_Servers
    Default Domain Policy

    The problem groups are not assigned by any of these policies and a quick scan of 2 of my member servers (out of 15) shows the problem groups have no admin rights on member servers.

    Any ideas please folks, tearing my hair out here!

    Jonathan
    Last edited by jonathanhaddock; 22nd September 2009 at 02:27 PM.

  2. #2
    ijk
    ijk is offline

    Join Date
    Sep 2009
    Location
    M11/A11/A1307
    Posts
    47
    Thank Post
    9
    Thanked 8 Times in 6 Posts
    Rep Power
    12
    Are these groups that give administrator rights to users on local machines?
    Who are the members of the groups?

  3. #3
    jonathanhaddock's Avatar
    Join Date
    Dec 2007
    Location
    Barton Court Grammar, Canterbury
    Posts
    58
    Thank Post
    0
    Thanked 6 Times in 4 Posts
    Rep Power
    15
    To reply to this thread, I've now resolved the problems.

    As most are probably aware, you cannot edit the local users and groups on a Domain Controller - the local SAM database is disabled at the point AD is installed.

    However, it is possible to make additional users/groups administrators of Domain Controllers via Active Directory's Builtin section.

    If you open Active Directory Users and Computers and browse to the Builtin container there are a number of groups, including Administrators. This Administrators group relates to domain controllers (as, to my knowledge, do all of these groups). By mistakenly adding users to this Administrators group, users can become administrators of the entire domain (test that, quite terrifying).

    To make a separate group, say PCAdmins, administrators of workstations the PCAdmins group should be added via Restricted Groups in GPO.

    Hope this info is useful for others at a later date.

    Attachment is how MBSA shows the additional administrators, taken from a network I consulted on after the company had discovered problems.
    Attached Images Attached Images

SHARE:
+ Post New Thread

Similar Threads

  1. Domain Local Admins - Does not have admin rights
    By dhoward_westexetc in forum Windows
    Replies: 2
    Last Post: 7th July 2008, 10:43 AM
  2. Does NetSupport School Tutor PC need Admin Rights on Domain?
    By k_Lady in forum Network and Classroom Management
    Replies: 1
    Last Post: 10th April 2008, 11:33 AM
  3. Logged in as admin, but no admin rights?
    By boomam in forum Windows
    Replies: 11
    Last Post: 12th March 2008, 03:56 PM
  4. Staff Admin rights
    By itgeek in forum Windows
    Replies: 26
    Last Post: 22nd February 2008, 09:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •