Schema Privileges

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Is there a "backdoor" or way for an application installation to get elevated privileges to update the AD schema?

Eg. the Schema Admins group is empty and the Schema partition is not set to be writable, however an end-user attempts to install an application on their workstation which tries to update the schema as part of the install. To be able to isntall the app the application is already in an elevated privilege state. Is there a way to ensure that there is no chance a rogue app installed by an end-user can update the schema?
 
By default only Windows Installer packages assigned/published through Group
Policy (or manually by the admin using msiexec) install using elevated
privileges - not packages the user manually starts him/herself. However, you
can use Group Policy or manually change this in the registry to allow any
package to install using elevated privileges.

Even if you did allow any Windows Installer package to use elevated
privileges, the privileges used during the installation are those of the
local system (i.e. the computer where the install is being performed). A
workstation's domain account has no permission to edit the schema by
default.

So, to answer your first question: no.

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.


SJM said:
Is there a "backdoor" or way for an application installation to get
Click to expand...
elevated privileges to update the AD schema?
Eg. the Schema Admins group is empty and the Schema partition is not set
Click to expand...
to be writable, however an end-user attempts to install an application on
their workstation which tries to update the schema as part of the install.
To be able to isntall the app the application is already in an elevated
privilege state. Is there a way to ensure that there is no chance a rogue
app installed by an end-user can update the schema?
 
Back
Top