Share via

Configuring rights to "protected" accounts in Active Directory

Anonymous
2024-04-24T02:07:31+00:00

I'm trying to achieve something which I'm starting to think is impossible.

We have automated account scripts which check a few details against privileged accounts. Have then become inactive? is their expiration date more then 12 months in the future? is their expiration or enable status different to a linked normal account? (The linking is done else where by another script to associate the two).

Thus in order to automate these features the service account has been provided the following rights to descendant user objects and places on the relevant OU folders.

  • Write accountExpires
  • Write enabledProtocols
  • Write expirationTime
  • Write Notes
  • Write userAccountControl

My issue kicks in when we look at protected accounts or accounts where the attribute admincount equal 1. These accounts break inheritance and instead grab their permissions from the AdminSDHolder Object. The issue is this applying the above settings to the object means a direct 1 to 1 application of these security settings to the protected account. Thus even tho I have applied the above settings the protected account is not a descendant object of itself and thus all settings configure to descending object don't actually take effect.
So if inheritance is turned on the settings apply and work, but if off protected accounts from a security perspective may as well be considered the OU not their corresponding respective ad objects.
Okay so what if I just apply settings to this object and not descending one? because the settings marked above don't exist under those options and the only way around would be to all full control of the objects to this service account. Does anyone know of a way I can grant only the selected rights to protected accounts?

Windows for business Windows Server Directory services Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-24T06:23:01+00:00

    Hi Joshua Reynolds1,

    Thank you for posting in the Microsoft Community Forums.

    Your situation involves managing permissions for protected accounts in Active Directory. In this scenario, you want to grant specific permissions to the protected accounts rather than their descendant objects. Here are the steps to grant selected permissions to a protected account:

    1. Find the Protected Account: Firstly, identify the protected account to which you want to grant permissions. This is typically an account with administrative privileges or other sensitive permissions.
    2. Edit the Account's Security Descriptor: You'll need to edit the security descriptor of that account to grant the desired permissions. This can be done through the Active Directory Users and Computers management tool.
    3. Grant Permissions: Within the account's security descriptor, locate the permissions you want to modify. You've listed some permissions such as write to accountExpires, write to enabledProtocols, etc. Make sure to add appropriate Access Control Entries (ACE) for these permissions.
    4. Review and Test: Before making changes, ensure to review the changes you're making and test them in a testing environment before the production environment.

    During the operation, exercise caution and ensure you understand the implications of the changes you're making. Editing security descriptors is a sensitive operation and can have significant impacts on the security of the system. It's best to perform this operation under the guidance of experienced administrators or at least test in a testing environment.

    Best regards

    Neuvi Jiang

    0 comments