question

StephanG avatar image
0 Votes"
StephanG asked StephanG answered

Active Directory - fresh and "historical" - different default permissions on user/computer objects

Hi everyone,

i recently got some problems with the security of user objects after the "printernightmare mitigation".
So i looked through some of the users and their security settings.

Some users differ from others and even after a reset and a new "inheritance" - they are still not set the same.

So i decided to built a new 2019 DC in my test lab to compare the security on a fresh DC with mine.
The differ in various ways.

Is the security ever "patched" and are there recommendations what to change if you change the forest to a higher level?

Best regards
Stephan

windows-active-directorywindows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @StephanG,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered StephanG commented

Hello @StephanG,

Thank you for your update.

But from the security perspective if i set inheritance on and the user has different rights than my OU security settings - that makes me nervous.
A: Maybe some permissions are inherited from their parent containers (such as domain or parent OU) and some permissions is added on OU explicitly.


Is there any Microsoft Service (available in Germany) that does a inspection of the AD Health? I would rather pay for a specialist to check that.
A: Usually, we can run commands to check AD health.

1.Run net share on each DC to see if SYSVOL folder and NetLogon folder are shared.
2.Run Dcdiag /v on each DC to see if there is any error message.
3.Run repadmin /showrepl and repadmin /replsum on each DC to check if AD replication works fine.
4.Run gpupdate /force on each DC to see if GPO can update successfully.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @StephanG,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @StephanG,
Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

I have not the resources to check as deep as i want to.
So i try to get external security help to do a "health check"

0 Votes 0 ·
Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered StephanG commented

Hi,
It's recommended to remove all unnecessary permissions added on Unit organisation level or on objects level, especially , on high privileged accounts. Active Directory Access Control List – Attacks and Defense
You can based on default permission when as you did in order remove all unnecessary permissions, it's a good approach.







Please don't forget to mark helpful reply as answer

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry for the late response.
I reviewed some of the ACLs already - but on some of the objects they are just not "inherited" although inheritance is on.

And on the other side - coming from a 2000 AD the ACLs differ from a fresh 2019 install.

0 Votes 0 ·

Hello @StephanG,

Thank you for your update.

I reviewed some of the ACLs already - but on some of the objects they are just not "inherited" although inheritance is on.
A: Would you please tell us what actual problems you have now?

And on the other side - coming from a 2000 AD the ACLs differ from a fresh 2019 install.
A: I think it "coming from a 2000 AD the ACLs differ from a fresh 2019 install" should be like this.


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

It is no really a problem - because the users can work.
But from the security perspective if i set inheritance on and the user has different rights than my OU security settings - that makes me nervous.

Is there any Microsoft Service (available in Germany) that does a inspection of the AD Health? I would rather pay for a specialist to check that.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @StephanG,

Thank you for posting here.

Hope the information provided by Thameur-BOURBITA is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephanG avatar image
0 Votes"
StephanG answered

Just to share: I just found out that it only affects a few accounts that had admincount=1 once.

So i wrote this script to find out which users have the "wrong/different" setting. I now "restore defaults" on the user accounts in phases. But it seems to be OK.

 Import-Module ActiveDirectory
 $allusers = Get-ADUser -Filter * -Searchbase "OU=Users,DC=domain,DC=local" -Properties DistinguishedName
 ForEach ($User in $allusers)
     {
     $ACLs = Get-ACL -path "AD:$user" | select -ExpandProperty Access
     ForEach ($ACL in $ACLs)
         {
         If ($ACL.IdentityReference -eq "NT AUTHORITY\Authenticated Users")
             {
             If ($ACL.ActiveDirectoryRights -like "*GenericRead*")
                 {
                 Write-Host $user " betroffen"
                 }
             }
         }
     }


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.