Nitzan

Nitzan

If this prod is rocking, don’t come a-knocking

Vanishing permissions on AD objects

1 minute read

I recently managed to solve a problem that bugged me for a ~ year - permissions on a specific group on AD would vanish, and the change won’t show up on the security logs of any DC (as audit success).

The Story

We’ve made groups for our helpdesk teams, and gave them appropriate permissions on object in AD (create users, reset passwords) and made the groups members of some builtin groups. Then, we’ve set each helpdesk supervisor as its group’s managed by, with the additional “Manager can update membership list” (translates to an ACE on the group).

The problem was that every other day, the supervisor called and complained he can’t add people to the group. We checked the group properties, and sure enough, the check was gone!

After mutual accusations and name calling I’ve tried:

  • Auditing all changes to the group. Didn’t help. My changes get logged, the mystery ones didn’t.
  • Manually adding permissions through the security tab, giving the guy full control on the group. These ACEs fizzled just the same.
  • Changing the group’s location. Nothing.

The solution

Eventually, I’ve found this (KB817433), that describes some interesting mechanism called AdminSDHolder. Apparently, some builtin objects are considered sensitive, because users in control over these objects can maliciously elevate themselves to enterprise-adminhood:
Users:

  • Administrator
  • Krbtgt

 Groups:

  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers

So, every hour (by default, can be changed. See KB), the PDC makes sure these objects’ ACLs are identical to the ACL of the object CN=adminSDHolder,CN=System,DC=mydomain,DC=com and if not, it resets the objects’ ACLs (and disables security inheritance from their container).
The shocker is that members in these groups are also sensitive. As it happens, we’ve added the helpdesk group to the builtin “Print Operators” (for no good reason). Because of that, our helpdesk group was considered sensitive by the PDC, and so it repeatedly stripped the team leader’s ACE. After removing the group from “Print Operators”, the ACE never disappeared again!
So remember kids, if you add users / groups to the builtin ones, you’ll only have the default boring ACL on these.

You May Also Enjoy

Java SMPP helper

6 minute read

One of my projects involves communicating over SMS with cellular-connected IoT devices. The company already has a working infastructure for sending and recie...

Adding shortcuts to your search engine

3 minute read

I really like DuckDuckGo’s bangs, which basically directs your query elsewhere if you prefix it with !something. You could search the London zoo in gmaps by ...

Bridging Switcher’s UDP over OpenWRT

1 minute read

Seems like I’m doing this setup once every 3 years, then forget about it until the next time it breaks. I hope this is the last time I’m rediscovering this.

Invalid number: Nov

5 minute read

One of my current projects is migrating a big Java project from Java 8 to a supported version. Since we’re doing small, stable steps, we started with Java 11...