Posted by John Policelli on 5th June 2010
As I’ve mentioned on my blog before, a TechNet Magazine article that I wrote had some errors in it. When I was informed of these errors, I fixed them and asked the TechNet Magazine team to revise the online version of this article. This was a few weeks after it was published. After several repeated attempts, and several months, the online version of this TechNet Magazine article has been updated.
The link to the article is http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx.
Some additional information on this subject:
Tags: Active Directory, AdminSDHolder
Posted in Publications | No Comments »
Posted by John Policelli on 3rd January 2010
I was very happy to hear that I was selected to present at TEC 2010 in Los Angeles.
TEC was previously known as DEC (Directory Experts Conference). The conference has been expanded to include training on Exchange and SharePoint, and effectively renamed to TEC. Here’s a snippet for the TEC 2010 Website:
For the 9th consecutive year, the TEC team will deliver expert-led, 400-level training on vital Microsoft technologies. In addition to its highly-acclaimed training on Microsoft Directory & Identity technologies, TEC 2010 will bring back a full agenda of Exchange training, staging the world’s leading authorities on Microsoft’s powerful messaging platform. And, this year, for the first time ever, we are pleased to introduce an entirely new TEC for SharePoint training conference!
I will be presenting in the Directory & Identity track. My session is called An In-Depth Look at AdminSDHolder, Protects Groups, and SDPROP.
Here is the abstract for my session:
Active Directory includes a number of built-in controls, which collectively provide an additional level of security for members of privileged groups. Even though these controls have been in place since the inaugural release of Active Directory a decade ago, administrators are still impacted by this functionality regularly. In this session, John Policelli will dive into the AdminSDHolder object, Protected Groups, and the Security Descriptor Propagator. Real-world examples, demos, and theory will be used to provide you with a comprehensive understanding of how these built-in controls interoperate and how you can use them to further secure members of privileged Active Directory groups.
I’ve attended DEC/TEC for several years, and it has proven invaluable each time. I have yet to find any comparable conferences. For more information on TEC 2010, please go to http://www.theexpertsconference.com/. I hope to see you there!
Tags: Active Directory, AdminSDHolder, Conferences, Directory & Identity, TEC 2010
Posted in Publications | No Comments »
Posted by John Policelli on 23rd September 2009
Since the release of Exchange Server 2010 RC1, there’s been a lot of debate over some ACEs that are added to the AdminSDHolder object by /PrepareDomain in Exchange 2010 RC1. For more information on this, see Exchange 2010 Modification of AdminSDHolder ACL Can Result in Elevation of Privilege and Exchange 2010 RC1 and AdminSDHolder.
A post was added to the Microsoft Exchange Team Blog this morning that confirms that this has been resolved in the RTM version of Exchange Server 2010. More specifically:
- /PrepareDomain no longer applies ACEs granted to Exchange Windows Permissions USG on the AdminSDHolder container. If /PrepareDomain detects the ACEs granted to Exchange Windows Permissions USG on the AdminSDHolder container, /PrepareDomain will remove them.
- /PrepareDomain no longer applies the extended right ACE User-Change-Password to the Exchange Servers USG on the AdminSDHolder container. If /PrepareDomain detects this ACE granted to Exchange Servers USG on the AdminSDHolder container, /PrepareDomain will remove it.
- /PrepareDomain no longer applies the extended right ACE User-Change-Password to the Exchange Servers USG on the domain partition. If /PrepareDomain detects this ACE granted to Exchange Servers USG on the domain partition, /PrepareDomain will remove it.
- /PrepareDomain no longer applies an unscoped DeleteTree and WriteDACL ACEs on the domain partition. Instead, these ACEs are replaced by scoping them specifically to user and inetOrgPerson class objects.
Tags: Active Directory, AdminSDHolder, Exchange Server 2010, Securing Active Directory
Posted in Exchange Server | No Comments »
Posted by John Policelli on 31st August 2009
UPDATE: This has been resolved in the RTM version of Exchange Server 2010. Please see Exchange 2010 and Resolution of the AdminSDHolder Elevation Issue for more details.
The PrepareDomain setup phase of Exchange 2010 RC1 adds several Access Control Entries (ACEs) to the Access Control List (ACL) of the AdminSDHolder object. One of these ACEs, Write Property for member, can be used to elevate privileges from Exchange Organization Administrator to Enterprise Admins.
Read the rest of this entry »
Tags: Active Directory, AdminSDHolder, Exchange Server 2010, Securing Active Directory
Posted in Exchange Server | No Comments »
