Default domain permissions

  • Thread starter Thread starter ade
  • Start date Start date
A

ade

Hi all - posted this issue in win2000.active_directory a few days ago,
wonder someone could help me?

The OS is windows2000, single domain in native mode.

When I log onto my machine (which has the admin tools installed) as a normal
user, I can modify/create/delete domain user accounts, and create new GPO's.

Things I have tried:

Checking everyone group and domain user group permissions on the domain and
each OU. Would appear that those groups have reset password and some write
permissions. They are not members of domain admins/admins/enterprise
admins.

I have searched high and low for what the default domain user permissions
should be but cannot locate a document with them on. Could someone post
them here please?

Any help much appreciated.
 
I do not believe there is such a document, and if so, then I would
question if it is up-to-date.

You say a normal user has those abilities, but you have not mentioned
the history of the environment, or whether you have considered all
groups in which the user holds membership.
The abilities you mentioned are things often delegated, and it sounds
as if the Users group may have been delegated those abilities.
 
Hi all - posted this issue in win2000.active_directory a few
days ago,
wonder someone could help me?

The OS is windows2000, single domain in native mode.

When I log onto my machine (which has the admin tools
installed) as a normal
user, I can modify/create/delete domain user accounts, and
create new GPO's.

Things I have tried:

Checking everyone group and domain user group permissions on
the domain and
each OU. Would appear that those groups have reset password
and some write
permissions. They are not members of domain
admins/admins/enterprise
admins.

I have searched high and low for what the default domain user
permissions
should be but cannot locate a document with them on. Could
someone post
them here please?

Any help much appreciated.
Click to expand...

to see what the default explicit security is of each object in AD when
created do the following:
BE VERY CAREFULLWITH WHAT YOU DO!
* open a command prompt
* run schmmgmt.msc
* Click on the classes node
* Right click on the class of the object you want to check the default
permissions for
* Click on the Default Security TAB (may be called something else
depending on OS)
* Et voila the default permissions for the class an object belongs to
 
Chaps - thanks for the replies.

I'll check them out at work Monday at post my findings.

BTW - the user account in question is a member of domain users ONLY.
 
Found it using the hyena tool somone else has mentioned in a post.

The everyone group was a member of administrators!

Removed it and will test later
 
Back
Top