GenericAll ACL on "Domain Admins" Group

Question

GenericAll ACL on "Domain Admins" Group

ErazerMe 46

After installation of Exchange (onPrem), we noticed that there are some additional permission configured on the "Domain Admins" group (Tool: Pingcastle)
Does anybody know what effect these permission have? What can the members of "Exchange Trusted Subsystems" do with the "GenericAll" right?

ActiveDirectoryRights : GenericAll
InheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : f0f8ffac-1191-11d0-a060-00aa006c33ed
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : DOMAIN\Exchange Trusted Subsystem
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly

ActiveDirectoryRights : GenericAll
InheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : c975c901-6cea-4b6f-8319-d67f45449506
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : DOMAIN\Exchange Trusted Subsystem
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly

ActiveDirectoryRights : GenericAll
InheritanceType : All
ObjectType : 018849b0-a981-11d2-a9ff-00c04f8eedd8
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : DOMAIN\Exchange Trusted Subsystem
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None

We want to ensure, that no other users (excepting the Domain Admins) are able to modify the Domain-Admins group.

Accepted answer

1 additional answer

Your answer

Answer 1

Gary Reynolds 9,621

Hi @ErazerMe

The exchange install has updated the permissions on the AdminSDHolder Object, which has in turn updated the permissions on the protected groups via the SDProp Process referenced here: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

The GenericAll right is the same as Full Control.

The Exchange Trusted Subsystem typically contains the exchange servers computer objects, this right is required by Exchange to manage the mail configuration for the object.

Gary.

ErazerMe 46 Reputation points

2022-07-01T13:25:33.24+00:00
Thanks for the answer.
So now the topic is, are the members of the group "Exchange Trusted Subsystem" able to add/remove Members into the Domain Admins group?
Because when I understand it correctly, the group "Exchange Trusted Subsystem" does only have GenericAll/FullControl to the according ObjectTypes or InheritedObjectTypes?

In this case, the Group has Fullcontrol to:

0f8ffac-1191-11d0-a060-00aa006c33ed -> which is publicFolder

c975c901-6cea-4b6f-8319-d67f45449506 -> msExchActiveSyncDevices

018849b0-a981-11d2-a9ff-00c04f8eedd8 - msExchDynamicDistributionList

Or am I wrong here?
I just have to make 100% sure that no one is allowed to change the domain admins group, not even an Exchange subsystem.
Gary Reynolds 9,621 Reputation points

2022-07-02T02:07:10.79+00:00
Hi @ErazerMe

You are correct, the full control permissions will only apply to the ObjectType, be it an object, attribute, propertyset, or right and will be inherited to children objects as defined by the InheritedObjectType.

To change the membership of the domain admins group a trustee would need to be granted one of the following permissions:

Full control of the 'this object' i.e. ObjectType not defined

Write All Properties

Write permissions to the member attribute

Write permissions to the Group Membership property set or a property set that includes member

Owner of the object

With a protected group object these permissions can only be set on the object via the AdminSDHolder, there is no inheritance from the parent container. You can use this post to see the effective permissions for the Exchange Trusted Subsystem - https://nettools.net/how-to-find-active-directory-effective-rights/

Gary.

Answer 2

Hi there,

GenericAll means user with full permission and it is dangerous to provide this other than trusted group members.

Domain Admin group has full rights to the object (add users to a group or reset user's password).You can delegate permission but you must change the security group of the users.

"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.

How Access Control Works in Active Directory Domain Services https://learn.microsoft.com/en-us/windows/win32/ad/how-access-control-works-in-active-directory-domain-services

Privileged Accounts and Groups in Active Directory https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory

Active Directory Security Groups https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--

Share via

GenericAll ACL on "Domain Admins" Group

1 additional answer

Your answer