May sound silly... but just to double check, did you log into the server and make sure that its been changed in AD U&C?
RabbieBurns (11th May 2011)
yes, a student was able to change a teacher account. Im looking at ADSIEdit but not sure what I should be looking for? Anyone able to point me in the right direction.
Try useing the vbs script below to recursively check a specific user to see what groups they are in:
Command: cscript script.vbs "
Code:Dim objGroupList, objUser, strDN ' Check for required argument. If (Wscript.Arguments.Count < 1) Then Wscript.Echo "Required argument
missing. " _ & "For example:" & vbCrLf _ & "cscript EnumUserGroups.vbs cn=User2,ou=Sales,dc=MyDomain,dc=com" Wscript.Quit(0) End If ' Bind to the user object with the LDAP provider. strDN = Wscript.Arguments(0) On Error Resume Next Set objUser = GetObject("LDAP://" & strDN) If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "User not found" & vbCrLf & strDN Wscript.Quit(1) End If On Error GoTo 0 ' Bind to dictionary object. Set objGroupList = CreateObject("Scripting.Dictionary") ' Enumerate group memberships. Call EnumGroups(objUser, "") Sub EnumGroups(ByVal objADObject, ByVal strOffset) ' Recursive subroutine to enumerate user group memberships. ' Includes nested group memberships. Dim colstrGroups, objGroup, j objGroupList.CompareMode = vbTextCompare colstrGroups = objADObject.memberOf If (IsEmpty(colstrGroups) = True) Then Exit Sub End If If (TypeName(colstrGroups) = "String") Then ' Escape any forward slash characters, "/", with the backslash ' escape character. All other characters that should be escaped are. colstrGroups = Replace(colstrGroups, "/", "\/") Set objGroup = GetObject("LDAP://" & colstrGroups) If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then objGroupList.Add objGroup.sAMAccountName, True Wscript.Echo strOffset & objGroup.distinguishedName Call EnumGroups(objGroup, strOffset & "--") Else Wscript.Echo strOffset & objGroup.distinguishedName & " (Duplicate)" End If Exit Sub End If For j = 0 To UBound(colstrGroups) ' Escape any forward slash characters, "/", with the backslash ' escape character. All other characters that should be escaped are. colstrGroups(j) = Replace(colstrGroups(j), "/", "\/") Set objGroup = GetObject("LDAP://" & colstrGroups(j)) If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then objGroupList.Add objGroup.sAMAccountName, True Wscript.Echo strOffset & objGroup.distinguishedName Call EnumGroups(objGroup, strOffset & "--") Else Wscript.Echo strOffset & objGroup.distinguishedName & " (Duplicate)" End If Next End Sub
Could this thread be moved to Security or somewhere that doesn't get indexed by the search engines please.
Code:D:\profiles\rabbieburns\Desktop>cscript check_user.vbs Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. D:\profiles\rabbieburns\Desktop\check_user.vbs(14, 44) Microsoft VBScript compilation error: Expected end of statement
Have you tried RSOPing a student?, could have someone done a restricted groups and added them to the domain admins?
iirc (havn't played for awhile) it won't because its a group policy so it basically "fakes" them being added to the group.
Or if the students have access to the command prompt you can use whoami (i think in seven you need to pass "whoami /groups" for the listing) to just grab the groups that they have and it should show it.
I think (more than likely) users have been added to the domain administrators group. There's no way they could access and change so much!
I would check the 'Students' or 'Teachers' Security Groups haven't been added. Adding Software Restriction Policies isn't the answer to solving these issues.
So ive now ran it against a couple of random student users. It appears there is a 'strange group' which the Students group is a member of.
When going into ADSIEdit and looking at this 'strange group', in the security tab under 'Authenticated Users', and 'SELF' there are a whole load of permissions set:
Read, Send to, Read exchange info, read exchange personal info, read phone and mail options,
Understanding ASIEdit a bit more than I did earlier, under Security of random students, there is an 'Everyone' which has the permission to change password.
@micheal, unless thats been done through a policy and isnt showing up in AD groups, as @p858snake has suggested..
There are currently 1 users browsing this thread. (0 members and 1 guests)