+ Post New Thread
Page 3 of 4 FirstFirst 1234 LastLast
Results 31 to 45 of 54
Windows Thread, !! students have access to active directory, everything !! in Technical; May sound silly... but just to double check, did you log into the server and make sure that its been ...
  1. #31
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    May sound silly... but just to double check, did you log into the server and make sure that its been changed in AD U&C?

  2. #32

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    yes

  3. #33

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Quote Originally Posted by RabbieBurns View Post
    also, when i tested with a user account, they were able to modify AD, I changed the displayname of a teacher account..
    All users have permissions to update this information for their own user account in AD, it is by design. It includes most of what is on the front page of the user properties screen as well as addresses and such. There is no way to prevent this without using ADSI edit to remove permissions and modifying the schema.

  4. #34


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by ChrisMiles View Post
    All users have permissions to update this information for their own user account in AD, it is by design. It includes most of what is on the front page of the user properties screen as well as addresses and such. There is no way to prevent this without using ADSI edit to remove permissions and modifying the schema.
    but not other peoples accounts?, which I thought was the problem here...

  5. Thanks to CyberNerd from:

    RabbieBurns (11th May 2011)

  6. #35

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    yes, a student was able to change a teacher account. Im looking at ADSIEdit but not sure what I should be looking for? Anyone able to point me in the right direction.

  7. #36

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Quote Originally Posted by RabbieBurns View Post
    yes, a student was able to change a teacher account. Im looking at ADSIEdit but not sure what I should be looking for? Anyone able to point me in the right direction.
    If your students can update other peoples user accounts then either your AD permissions are completely and utterly borked in a way that could only be caused by buggering about with adsiedit or your students are somehow in the Domain Admins or similar group.

    Try useing the vbs script below to recursively check a specific user to see what groups they are in:

    Command: cscript script.vbs "<User DN>"

    Code:
    Dim objGroupList, objUser, strDN
    
    ' Check for required argument.
    If (Wscript.Arguments.Count < 1) Then
        Wscript.Echo "Required argument <Distinguished Name> missing. " _
            & "For example:" & vbCrLf _
            & "cscript EnumUserGroups.vbs cn=User2,ou=Sales,dc=MyDomain,dc=com"
        Wscript.Quit(0)
    End If
    
    ' Bind to the user object with the LDAP provider.
    strDN = Wscript.Arguments(0)
    On Error Resume Next
    Set objUser = GetObject("LDAP://" & strDN)
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Wscript.Echo "User not found" & vbCrLf & strDN
        Wscript.Quit(1)
    End If
    On Error GoTo 0
    
    ' Bind to dictionary object.
    Set objGroupList = CreateObject("Scripting.Dictionary")
    
    ' Enumerate group memberships.
    Call EnumGroups(objUser, "")
    
    Sub EnumGroups(ByVal objADObject, ByVal strOffset)
        ' Recursive subroutine to enumerate user group memberships.
        ' Includes nested group memberships.
        Dim colstrGroups, objGroup, j
        objGroupList.CompareMode = vbTextCompare
        colstrGroups = objADObject.memberOf
        If (IsEmpty(colstrGroups) = True) Then
            Exit Sub
        End If
        If (TypeName(colstrGroups) = "String") Then
            ' Escape any forward slash characters, "/", with the backslash
            ' escape character. All other characters that should be escaped are.
            colstrGroups = Replace(colstrGroups, "/", "\/")
            Set objGroup = GetObject("LDAP://" & colstrGroups)
            If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then
                objGroupList.Add objGroup.sAMAccountName, True
                Wscript.Echo strOffset & objGroup.distinguishedName
                Call EnumGroups(objGroup, strOffset & "--")
            Else
                Wscript.Echo strOffset & objGroup.distinguishedName & " (Duplicate)"
            End If
            Exit Sub
        End If
        For j = 0 To UBound(colstrGroups)
            ' Escape any forward slash characters, "/", with the backslash
            ' escape character. All other characters that should be escaped are.
            colstrGroups(j) = Replace(colstrGroups(j), "/", "\/")
            Set objGroup = GetObject("LDAP://" & colstrGroups(j))
            If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then
                objGroupList.Add objGroup.sAMAccountName, True
                Wscript.Echo strOffset & objGroup.distinguishedName
                Call EnumGroups(objGroup, strOffset & "--")
            Else
                Wscript.Echo strOffset & objGroup.distinguishedName & " (Duplicate)"
            End If
        Next
    End Sub

  8. #37

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,174
    Thank Post
    284
    Thanked 773 Times in 583 Posts
    Rep Power
    335
    Could this thread be moved to Security or somewhere that doesn't get indexed by the search engines please.

  9. #38

    Dos_Box's Avatar
    Join Date
    Jun 2005
    Location
    Preston, Lancashire
    Posts
    9,845
    Thank Post
    583
    Thanked 2,162 Times in 987 Posts
    Blog Entries
    23
    Rep Power
    627
    Quote Originally Posted by teejay View Post
    Could this thread be moved to Security or somewhere that doesn't get indexed by the search engines please.
    I don't think there is anything yet, that warrants it as it is not a topic about how to get around security measures, but rather one of how to create them.

  10. #39

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by ChrisMiles View Post
    Try useing the vbs script below to recursively check a specific user to see what groups they are in:
    Doesnt seem to work for me?

    Code:
    D:\profiles\rabbieburns\Desktop>cscript check_user.vbs
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    D:\profiles\rabbieburns\Desktop\check_user.vbs(14, 44) Microsoft VBScript compilation error: Expected end of statement

  11. #40

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Quote Originally Posted by RabbieBurns View Post
    Doesnt seem to work for me?

    Code:
    D:\profiles\rabbieburns\Desktop>cscript check_user.vbs
    Microsoft (R) Windows Script Host Version 5.8
    Copyright (C) Microsoft Corporation. All rights reserved.
    
    D:\profiles\rabbieburns\Desktop\check_user.vbs(14, 44) Microsoft VBScript compilation error: Expected end of statement
    Are you sure you copied the whole script including the last End Sub line?

  12. #41
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Have you tried RSOPing a student?, could have someone done a restricted groups and added them to the domain admins?

  13. #42

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by p858snake View Post
    Have you tried RSOPing a student?, could have someone done a restricted groups and added them to the domain admins?
    would this not show up when i look at 'members' when looknig at the domain admins group?

  14. #43
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    iirc (havn't played for awhile) it won't because its a group policy so it basically "fakes" them being added to the group.

    Or if the students have access to the command prompt you can use whoami (i think in seven you need to pass "whoami /groups" for the listing) to just grab the groups that they have and it should show it.

  15. #44

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    I think (more than likely) users have been added to the domain administrators group. There's no way they could access and change so much!

    I would check the 'Students' or 'Teachers' Security Groups haven't been added. Adding Software Restriction Policies isn't the answer to solving these issues.

  16. #45

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by ChrisMiles View Post
    Are you sure you copied the whole script including the last End Sub line?
    ok my bad, sorry i guess copying and pasting over rdp doesnt work too great.

    So ive now ran it against a couple of random student users. It appears there is a 'strange group' which the Students group is a member of.

    When going into ADSIEdit and looking at this 'strange group', in the security tab under 'Authenticated Users', and 'SELF' there are a whole load of permissions set:

    Read, Send to, Read exchange info, read exchange personal info, read phone and mail options,

    Understanding ASIEdit a bit more than I did earlier, under Security of random students, there is an 'Everyone' which has the permission to change password.

    @micheal, unless thats been done through a policy and isnt showing up in AD groups, as @p858snake has suggested..

SHARE:
+ Post New Thread
Page 3 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Replies: 6
    Last Post: 31st May 2011, 08:05 AM
  2. Icon Transparency using Active Directory and Active Desktop Backgrounds
    By steveo2000 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 19th May 2010, 09:50 AM
  3. Replies: 7
    Last Post: 31st January 2008, 12:17 PM
  4. Teacher wants to access active directory...
    By Olumite in forum Network and Classroom Management
    Replies: 31
    Last Post: 8th October 2007, 12:05 PM
  5. Replies: 4
    Last Post: 10th November 2006, 11:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •