AD Schema Security

[Guest]

Hi all

Is there a "backdoor" or way for an application installation to
programmatically, get elevated privileges to update the AD schema?

Eg. the Schema Admins group is empty and the Schema partition is not set to
be writable, however an end-user attempts to install an application on their
workstation which tries to update the schema as part of the install. To be
able to isntall the app the application is already in an elevated privilege
state. Is there a way to ensure that there is no chance a rogue app
installed by an end-user can update the schema?
I would like to ensure that in this situation, the schema update by the
users application install should FAIL

Thanks

 

[Ozone]

If you are not in the schema admin group, there is no way to get around
updating the schema. If there is a way around it, I am not aware of how to
do it even with a program install. If someone knows of a way please let us
know.

Ozone

 

[Roger Abell [MVP]]

You are already safe-guarded against this from happening.
If you wish to further make certain, then you could restrict write
permissions on the administrative groups. Even then, just as
a rogue app would need to change the Schema Admins group
membership it would after changes only have to acquire an
account context able to change Schema Admins membership.
Whether you make any changes to the default security settings
or not, it would be a determined crack app, not just an accident,
that would be needed.