Work related (IT) issue

Guest2 · 1 Feb 2010 at 11:58

I have had my permission to the servers revoked as of today. My boss said that ive been trying to grant myself higher persmission to the AD structure and consequently all permissions throughout the AD tree have been reset.

He said that my username appears in every single OU, Group, User file, with the same specific Group Policy permissions in everything. When I forced the propagation down the tree to include my credentials, I reset all the permissions on everything else. He has been spending days resetting individial enteries to fix errors.

I do not have domain admin access rights, how could I have done this? I used a temp account a couple of times to edit group policies but thats about it. I have never even been on to security permission on OUs

Thanks

Abraham · 1 Feb 2010 at 12:00

one would assume that if you haven't done it then someone else has

Guest2 · 1 Feb 2010 at 12:03

Abraham said:
one would assume that if you haven't done it then someone else has

Could I have done it if I dont have domain admin rights?

Steve2000 · 1 Feb 2010 at 12:04

Do you have delegate rights?

wesley · 1 Feb 2010 at 12:06

Just admit you did it, you're planning to take the whole network down?

Luke · 1 Feb 2010 at 12:08

If you don't know if it was possible, then you shouldn't be messing with permissions and I agree with the decision to revoke your rights based on what you have said.

Jamesdavid3 · 1 Feb 2010 at 12:12

sounds like hes trying to cover his own tracks, hes hoping his boss uses this forum and see this thread showing him that it was a accident

Blue Cypher · 1 Feb 2010 at 12:12

There are 2 ways to have enough rights to be able to change Security in AD, either your account has been delegated rights, or your account is a member of Domain Admins groups. Either way if YOU would have caused this you would have known as when you propagate down security rights it comes up with a warning!! and even then you would have not only had to of clicked the warning off, you would have been given a choice between cancel, copy and remove.

Talbs13 · 1 Feb 2010 at 12:18

Depends really, what security level does the accounts you are using have?

It's highly possible. But sounds more like you've been setup. It can be checked though if Auditing/Logging is enabled i believe.

Raumarik · 1 Feb 2010 at 12:24

Sounds like a setup, If he's unable to fix something like that fairly quickly (restore anyone?!) then he shouldn't be in mucking about in AD either.

Ultimately if you were granted permissions and given no training the buck stops with your boss, however I find it highly unlikely that you'd be able to mess up an entire AD structure so easily and not realise you'd done it. It does give warnings and I'm guessing from his claims of having spent days fixing it that it's possibly messed up mappings, scripts etc. But then again these are easy to fix even without a full restore of AD.

Just ask for training or have nothing to do with it, I wouldn't be owning up to anything though, not without proof that I'd done it. AD can become corrupt just like everything else, did he even consider a restore?

Guest2 · 1 Feb 2010 at 12:33

Blue Cypher said:
There are 2 ways to have enough rights to be able to change Security in AD, either your account has been delegated rights, or your account is a member of Domain Admins groups. Either way if YOU would have caused this you would have known as when you propagate down security rights it comes up with a warning!! and even then you would have not only had to of clicked the warning off, you would have been given a choice between cancel, copy and remove.

I had admin rights but not domain admin rights. Would I have been able to delegate my own rights somehow? Ill ask him about the restore of AD. I did think about a restore instead of sorting all the permissions again

I have never seen any warnings or boxes in AD in the past few weeks

SoundsGood · 1 Feb 2010 at 12:33

Someone took the "How much damage could you do at work" thread a bit too seriously...

Abraham · 1 Feb 2010 at 13:30

So to be unsure as to whether you've done this you've obviously tried but thought that you wouldn't be successful, you have been and now you're papping yourself.

The_TailGunner · 1 Feb 2010 at 13:32

Guest2 said:
He said that my username appears in every single OU, Group, User file, with the same specific Group Policy permissions in everything. When I forced the propagation down the tree to include my credentials, I reset all the permissions on everything else. He has been spending days resetting individial enteries to fix errors.

Thanks

could be some really sloppy administration. we had a similar issue here caused by some people leaving the 'inherit permissions from parent' box ticked when they created shares. this would, in effect, cause any permissions you set to be pulled down the tree. you would not get a warning if you changed the permissions on the parent subsequent to this being set. i think.

that said, if all you did was add yourself, then the rest of the permissions would have been unaffected.

*goes off to poke ad*

TG

Guest2 · 1 Feb 2010 at 13:56

Abraham said:
So to be unsure as to whether you've done this you've obviously tried but thought that you wouldn't be successful, you have been and now you're papping yourself.

no, if i tried something like this (by mistake) and then seen a load of warnings then i would have stopped or presses cancel.

However if i accidentally ticket a box and pressed ok and no warning message came up then its a possibility. I wouldnt have thought it could be done with domain admin access though

Abraham · 1 Feb 2010 at 14:13

Guest2 said:
no, if i tried something like this (by mistake) and then seen a load of warnings then i would have stopped or presses cancel.

However if i accidentally ticket a box and pressed ok and no warning message came up then its a possibility. I wouldnt have thought it could be done with domain admin access though

There is next to no chance you could have done this without noticing, I still don't believe that you can be considering that you might have accidentally done this, rather than having done it not expecting it to work. You've done something, not accidentally but just seeing what you could do rather than maliciously, and now you've been caught and you're trying to find a way to cover your back.

Guest2 · 1 Feb 2010 at 14:38

I had access to a domain admin account, there are far worse things i could have done, but never would have.

So, could I have added myself to permissions of an entire OU, even without domain admin access?

Abraham · 1 Feb 2010 at 14:40

Guest2 said:
I had access to a domain admin account, there are far worse things i could have done, but never would have.

So, could I have added myself to permissions of an entire OU, even without domain admin access?

but you've just said that you did it with a domain admin account, you could not give yourself rights higher than your current permission level, it is obvious to your boss that you've used a domain admin account.

PESolution · 1 Feb 2010 at 14:47

..once i change my bosses mouse to left handed mode.. one day you can step to this

Guest2 · 1 Feb 2010 at 15:39

Abraham said:
but you've just said that you did it with a domain admin account, you could not give yourself rights higher than your current permission level, it is obvious to your boss that you've used a domain admin account.

The account with domain admin is a temp account. If i did it through that one, my name wouldnt appear in groups etc. It would be the temp account. So couldnt have been that one