Active Directory - What gets copied when a user object is copied?

Question

Active Directory - What gets copied when a user object is copied?

Daya 61

So I have a user called User1 who is a member of a few groups. In the 'Security' tab of their properties, I took a look at the access permissions for each permission entry (Group or user names).

I then made a copy of User1 called User2. When I compared the permissions under the Security tab, the permissions for a few entries (eg 'SELF') are different for the copied user. User2 is a member of all the groups that User1 is a part of, though.

Could you please tell me why those permissions are different if all I am doing is copying the object?

Also - what exactly gets copied when a User object is copied?

Thank you :)

Accepted answer

0 additional answers

Your answer

Answer 1

Gary Reynolds 9,621

Hi @Daya

The permissions of an object are made up of two types of permissions, permissions that are directly applied to the object and permissions are inherited from the parent OU\Container. Any permissions that have None against the 'Inherited from' column are directly assigned permissions.

If you move an object to a different OU, the direct permissions are maintained and the inherited permissions will be inherited from the new parent OU\container. When you create a new object, the direct permissions are taken from the object's default permissions from the schema, and it will inherit the permissions from the parent OU\container.

What method are you using to copy the objects?

Gary.

Daya 61 Reputation points

2022-04-19T11:54:18.603+00:00

Thank you, @Gary Reynolds :) That makes sense.

Why are the group memberships copied, then? That is not applied at the OU level but at the individual User level only.

Both objects are in the same OU. I am using the right click->copy option to copy the user object.

Could you please answer my other question also? active-directory-what-exactly-does-a-group-inherit.html
Gary Reynolds 9,621 Reputation points

2022-04-19T12:19:05.53+00:00

When you use the copy user option the following attributes are copied from the source user to the new user object:

accountExpires
assistant
c
co
codePage
company
countryCode
department
division
employeeType
homeDirectory
homeDirectory
homeDrive
localeID
logonHours
logonWorkstation
manager
manager
maxStorage
memberOf
msNPAllowDialin
msNPCallingStationID
msNPSavedCallingStationID
msRADIUS-FramedInterfaceId
msRADIUS-FramedIpv6Prefix
msRADIUS-FramedIpv6Route
msRADIUS-SavedFramedInterfaceId
msRADIUS-SavedFramedIpv6Prefix
msRADIUS-SavedFramedIpv6Route
msRADIUSCallbackNumber
msRADIUSFramedIPAddress
msRADIUSFramedRoute
msRADIUSServiceType
msRASSavedCallbackNumber
msRASSavedFramedIPAddress
msRASSavedFramedRoute
otherLoginWorkstations
postalAddress
postalCode
postOfficeBox
preferredOU
profilePath
scriptPath
showInAddressBook
st
street
userWorkstations
l
primaryGroupID
showInAdvancedViewOnly
userAccountControl

This list of attributes is defined by the SearchFlags attribute in the schema, this list is based on a default Windows 2019 AD schema. As you can see the memberof attribute is included, which is the user group membership. The ntsecuritydescriptor attribute is not listed, this is used to hold the permissions of the object, so when the new object is create the default permissions are assigned.

Gary.
Daya 61 Reputation points

2022-04-19T12:26:35.8+00:00

Please tell me where you got this list from (so that I can check which attributes are inherited on other objects like Groups). Thank you so much! @Gary Reynolds
Gary Reynolds 9,621 Reputation points

2022-04-19T13:24:03.92+00:00
There is no simple way to get this list, it takes a number of queries to get the list of attributes per object type, but to simplify process the query below will list all the attributes that will be copy, irrespective of the object type. You can get the list of attributes that associated to an object, in ADUC open the properties dialog and select the attribute editor tab, and the allowedattributes attribute will have the complete list of attributes for the object, you can then compare this against the list produced from the query below.

[AD: Schema Copy Attributes] Options=135753 Server= BaseDN=##schema Filter=(&(objectclass=attributeschema)(searchflags|=16)) Attributes=ldapdisplayname, searchflags DisplayFilter= Filename= Sort= Controls= Authentication=1158 Separator=,

This query is for NetTools, have a look a this page on how to import this query. https://nettools.net/ldap-search-favorites/ using the LDAP Search option https://nettools.net/ldap-search/

Gary.

Share via

Active Directory - What gets copied when a user object is copied?

0 additional answers

Your answer