LinkBack URL
About LinkBacksMay sound silly... but just to double check, did you log into the server and make sure that its been changed in AD U&C?
May sound silly... but just to double check, did you log into the server and make sure that its been changed in AD U&C?
yes
All users have permissions to update this information for their own user account in AD, it is by design. It includes most of what is on the front page of the user properties screen as well as addresses and such. There is no way to prevent this without using ADSI edit to remove permissions and modifying the schema.Originally Posted by RabbieBurns
but not other peoples accounts?, which I thought was the problem here...
RabbieBurns (11th May 2011)
yes, a student was able to change a teacher account. Im looking at ADSIEdit but not sure what I should be looking for? Anyone able to point me in the right direction.
If your students can update other peoples user accounts then either your AD permissions are completely and utterly borked in a way that could only be caused by buggering about with adsiedit or your students are somehow in the Domain Admins or similar group.
Try useing the vbs script below to recursively check a specific user to see what groups they are in:
Command: cscript script.vbs "<User DN>"
Code:Dim objGroupList, objUser, strDN ' Check for required argument. If (Wscript.Arguments.Count < 1) Then Wscript.Echo "Required argument <Distinguished Name> missing. " _ & "For example:" & vbCrLf _ & "cscript EnumUserGroups.vbs cn=User2,ou=Sales,dc=MyDomain,dc=com" Wscript.Quit(0) End If ' Bind to the user object with the LDAP provider. strDN = Wscript.Arguments(0) On Error Resume Next Set objUser = GetObject("LDAP://" & strDN) If (Err.Number <> 0) Then On Error GoTo 0 Wscript.Echo "User not found" & vbCrLf & strDN Wscript.Quit(1) End If On Error GoTo 0 ' Bind to dictionary object. Set objGroupList = CreateObject("Scripting.Dictionary") ' Enumerate group memberships. Call EnumGroups(objUser, "") Sub EnumGroups(ByVal objADObject, ByVal strOffset) ' Recursive subroutine to enumerate user group memberships. ' Includes nested group memberships. Dim colstrGroups, objGroup, j objGroupList.CompareMode = vbTextCompare colstrGroups = objADObject.memberOf If (IsEmpty(colstrGroups) = True) Then Exit Sub End If If (TypeName(colstrGroups) = "String") Then ' Escape any forward slash characters, "/", with the backslash ' escape character. All other characters that should be escaped are. colstrGroups = Replace(colstrGroups, "/", "\/") Set objGroup = GetObject("LDAP://" & colstrGroups) If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then objGroupList.Add objGroup.sAMAccountName, True Wscript.Echo strOffset & objGroup.distinguishedName Call EnumGroups(objGroup, strOffset & "--") Else Wscript.Echo strOffset & objGroup.distinguishedName & " (Duplicate)" End If Exit Sub End If For j = 0 To UBound(colstrGroups) ' Escape any forward slash characters, "/", with the backslash ' escape character. All other characters that should be escaped are. colstrGroups(j) = Replace(colstrGroups(j), "/", "\/") Set objGroup = GetObject("LDAP://" & colstrGroups(j)) If (objGroupList.Exists(objGroup.sAMAccountName) = False) Then objGroupList.Add objGroup.sAMAccountName, True Wscript.Echo strOffset & objGroup.distinguishedName Call EnumGroups(objGroup, strOffset & "--") Else Wscript.Echo strOffset & objGroup.distinguishedName & " (Duplicate)" End If Next End Sub
Could this thread be moved to Security or somewhere that doesn't get indexed by the search engines please.
I don't think there is anything yet, that warrants it as it is not a topic about how to get around security measures, but rather one of how to create them.
Doesnt seem to work for me?
Code:D:\profiles\rabbieburns\Desktop>cscript check_user.vbs Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. D:\profiles\rabbieburns\Desktop\check_user.vbs(14, 44) Microsoft VBScript compilation error: Expected end of statement
Are you sure you copied the whole script including the last End Sub line?
Have you tried RSOPing a student?, could have someone done a restricted groups and added them to the domain admins?
would this not show up when i look at 'members' when looknig at the domain admins group?
iirc (havn't played for awhile) it won't because its a group policy so it basically "fakes" them being added to the group.
Or if the students have access to the command prompt you can use whoami (i think in seven you need to pass "whoami /groups" for the listing) to just grab the groups that they have and it should show it.
I think (more than likely) users have been added to the domain administrators group. There's no way they could access and change so much!
I would check the 'Students' or 'Teachers' Security Groups haven't been added. Adding Software Restriction Policies isn't the answer to solving these issues.
ok my bad, sorry i guess copying and pasting over rdp doesnt work too great.
So ive now ran it against a couple of random student users. It appears there is a 'strange group' which the Students group is a member of.
When going into ADSIEdit and looking at this 'strange group', in the security tab under 'Authenticated Users', and 'SELF' there are a whole load of permissions set:
Read, Send to, Read exchange info, read exchange personal info, read phone and mail options,
Understanding ASIEdit a bit more than I did earlier, under Security of random students, there is an 'Everyone' which has the permission to change password.
@micheal, unless thats been done through a policy and isnt showing up in AD groups, as @p858snake has suggested..
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
