Work related (IT) issue

Guest2 · 1 Feb 2010 at 11:58

I have had my permission to the servers revoked as of today. My boss said that ive been trying to grant myself higher persmission to the AD structure and consequently all permissions throughout the AD tree have been reset.

He said that my username appears in every single OU, Group, User file, with the same specific Group Policy permissions in everything. When I forced the propagation down the tree to include my credentials, I reset all the permissions on everything else. He has been spending days resetting individial enteries to fix errors.

I do not have domain admin access rights, how could I have done this? I used a temp account a couple of times to edit group policies but thats about it. I have never even been on to security permission on OUs

Thanks

Guest2 · 1 Feb 2010 at 12:03

Abraham said:
one would assume that if you haven't done it then someone else has

Could I have done it if I dont have domain admin rights?

Guest2 · 1 Feb 2010 at 12:33

Blue Cypher said:
There are 2 ways to have enough rights to be able to change Security in AD, either your account has been delegated rights, or your account is a member of Domain Admins groups. Either way if YOU would have caused this you would have known as when you propagate down security rights it comes up with a warning!! and even then you would have not only had to of clicked the warning off, you would have been given a choice between cancel, copy and remove.

I had admin rights but not domain admin rights. Would I have been able to delegate my own rights somehow? Ill ask him about the restore of AD. I did think about a restore instead of sorting all the permissions again

I have never seen any warnings or boxes in AD in the past few weeks

Guest2 · 1 Feb 2010 at 13:56

Abraham said:
So to be unsure as to whether you've done this you've obviously tried but thought that you wouldn't be successful, you have been and now you're papping yourself.

no, if i tried something like this (by mistake) and then seen a load of warnings then i would have stopped or presses cancel.

However if i accidentally ticket a box and pressed ok and no warning message came up then its a possibility. I wouldnt have thought it could be done with domain admin access though

Guest2 · 1 Feb 2010 at 14:38

I had access to a domain admin account, there are far worse things i could have done, but never would have.

So, could I have added myself to permissions of an entire OU, even without domain admin access?

Guest2 · 1 Feb 2010 at 15:39

Abraham said:
but you've just said that you did it with a domain admin account, you could not give yourself rights higher than your current permission level, it is obvious to your boss that you've used a domain admin account.

The account with domain admin is a temp account. If i did it through that one, my name wouldnt appear in groups etc. It would be the temp account. So couldnt have been that one

Guest2 · 1 Feb 2010 at 15:52

Malt_Vinegar said:
Did you promote your own account using the Domain admin account?

Sorry, dont know what that means. So no

Guest2 · 1 Feb 2010 at 16:10

Malt_Vinegar said:
Did you try to give your own account access to things you didnt have access to before, by using the temp Domain Admin account?

This could have been possible, but i wouldnt have done anything with OU permissions. If i needed to carry out any task i enabled the temp domain admin account, did the task with the temp account then disabled it again

Guest2 · 1 Feb 2010 at 16:28

Liquidfox said:
You have to be a domain admin to logon to the DC to actually change those settings.

Are you sure this can only be done with a domain admin account? I generally logged onto our exchange server as I used to carry out exchange tasks from time to time

Guest2 · 1 Feb 2010 at 22:44

Ev0 said:
Is this a general dom admin account that a pool of people enable when they need to do something? If yes then whoever has set it up like that needs shooting.

Theres just me and my boss