Score:3

Server

Active Directory: Account Operators can delete Domain Admin accounts

Matthew McDonald

2/28/24, 8:34 PM

Scenario

Active Directory has a scheduled background process called SDProp that periodically checks for and applies a specific security descriptor (permissions) of certain groups (and its members) that AD considers protected. The permissions that are set are derived from those set on the AdminSDHolder object in AD.

For the purpose of this discussion, we'll focus on Domain Admins.

See here: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

And here: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#default-security-groups

Quote:

... If the permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object

Further, Account Operators have, by default, permissions to manage all user/computer/group objects in the domain, except for any of the protected groups/members, due to this SDProp process.

Case in point, attempting to modify a domain admin account with an Account Operator leads to an access denied error.

Issues

First issue:

While they cannot modify these protected accounts, as per the above process, Account Operators CAN, however, delete them! This should not be possible per my understanding of this protection mechanism.

When viewing the permissions of the domain admin account, Account Operators is not listed anywhere. Further, running an effective access check for an AO shows it only has read permissions/properties. All write and delete permissions are denied. This is expected.

It appears the ability to delete the protected account stems from an ACL on the OU containing it, whereby the Account Operators group has the Create and Delete user objects right (this object only), within that OU.

Case in point, if I edit that ACE and remove the Delete right, the issue noted above goes away and the AO can no longer delete the domain admin.

Second Issue

As noted above, the effective permissions appear to be hiding the fact that the AO can delete the object. I truly don't understand this.

Questions Needing Answered

Why is the permission on the OU overriding the permissions set on the protected account by adminSDHolder? The entire purpose of this process is to PREVENT any specific delegated permissions from anywhere applying to the protected accounts, in order to protect them.
Why doesn't the Effective Access tab properly reflect I have the ability to delete this account, as per the OU permissions?

1069

2 + 6

windows

active-directory

windows-server-2016

Greg Askew

2/28/24, 11:38 PM

You may want to update your AdminSDHolder OU ACL's to include the Deny Delete ACE for Everyone, similar to what is done for OU's. Also the Create/Delete applies to the OU, not the account itself.

0

Reply

Matthew McDonald

3/1/24, 10:31 PM

@PimpJuiceIT I'm not sure what you are suggesting. What "new question" are you suggesting?

0

Reply

Matthew McDonald

3/1/24, 10:32 PM

@GregAskew I'm sure that would be a way to prevent the issue I'm facing, but all I'm trying to figure out is why this is even an issue. What I am seeing goes against what my understanding of adminSDHolder is intended for.

0

Reply

Matthew McDonald

3/2/24, 9:50 PM

@PimpJuiceIT I've already done significant amount of testing. On the OU if I remove the "delete user objects" permission, then I can no longer delete the protected account. The problem is, this is not supposed to be possible, as it defeats the entire purpose of adminSDHolder process entirely if someone can simply set a delegation on a higher OU to override those permissions.

0

Reply

Matthew McDonald

3/2/24, 10:32 PM

@PimpJuiceIT I'm in the process of standing up a test domain to rule that out. With that said, even if they did, it shouldn't matter, as the link you're referencing also states: "If the permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object". The permissions currently match that of AdminSDHolder.

0

Reply

Matthew McDonald

3/7/24, 4:50 PM

I've set up a test domain and it looks like this is possible by default. I don't understand why MS would allow this.

1

Reply

Score:4

Server

Jevgenij Martynenko

2/28/24, 8:56 PM

I think your misconception comes from assumption that since Domain Admins is a protected group, all its members are also protected. Which is not the case. Hence AdminSDHolder does not apply to these accounts.

The documentation never states this explicitly, but it also does not state that members of Domain Admins are considered protected. Nor does it state that Account Operators can't delete Domain Admins group members

References:

+ 1

Matthew McDonald

3/2/24, 9:58 PM

Unfortunately this is incorrect. I have no misconception. Members of those protected groups themselves become protected. In fact the second link you sent explicitly states this: "Some of the administrative groups that are listed in this article and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor."

0

Reply

Score:2

Server

Pimp Juice IT

3/3/24, 1:21 AM

The effective permissions appear to be hiding the fact that the AO can delete the object. I truly don't understand this.

I liked this Secure Identity post so much about this topic, I figured I'd reference and quote the relevant parts of it as it relates to your question specifically.

I think that's a good question many people would want to know once they are aware of this if using Account Operators is standard practice in their AD domain environment—I certainly had never tried to delete a Domain Admin member AD account with an Account Operator, but I have supported environments in the past where they used Account Operators where I was a Domain Admin.

Now, if we look at the options we have regarding deleting objects in Active Directory you may have seen that there is three different types of Delete:

Delete (DELETE Access Mask)

Delete Child (ADS_RIGHT_DS_DELETE_CHILD Access Mask)

Delete Subtree (ADS_RIGHT_DS_DELETE_TREE Access Mask)

And here it gets interesting. When performing a delete action, the system verifies the security descriptor for both the object and its parent object before allowing or denying the deletion.

An ACE that explicitly denies Delete access to a user has no effect if the user has Delete Child access on the parent. Similarly, an ACE that denies Delete Child access on the parent can be overridden if DELETE access is allowed on the object itself.

Source: Access Control and Object Deletion

Delete and Delete Child examples:

Example One:

My admin user Tony don’t have the ACE: Allow Delete access on a Domain Admin user named Hank. Tony could still delete the account if he has the ACE: Allow Delete Child User on the parent OU.

Example Two:

If an Explicit ACE: Deny Delete access is set on Hank. Tony would still be able to delete the account if he has the ACE: Allow Delete Child User on the parent OU.

And if we reverse it: Tony ends up in an ACE: Deny Delete Child User on the parent OU, he could still delete it if he has Explicit Allow Delete in an ACE on the user object.

So, with this we can see that the AdminSDHolder Security Descriptor doesn’t really protect the admins or nested groups in all scenarios. If you look back at the effective permissions picture, Tony had no rights on the user to delete it. But he has the ACE: Allow Delete Child User on the parent OU and will be able to delete Hank which is a member of Domain Admins group.

Default rights

Now when we have talked about the delete access rights it could be a good idea to think about who has these powers default in Active Directory? Besides the obvious ones like Administrators, Domain Admins, Enterprise Admins we of course also have the well-known Account Operators group.

Account Operators has default explicit Full Control on User, Computer, Group and InetOrgPerson objects. They don’t have that explicit access granted on the AdminSDHolder Security Descriptor, but they do have an explicit Create/Delete Child User, Group, Computer and InetOrgPerson on Organizational Units. If the parent OU to the Domain Admins don’t have the explicit Deny Delete Child Users AO will be able to delete Domain Admin users.

(This can be removed from the defaultSecurityDescriptor attribute of the object class defined in Schema if you’re up to the task)

Another angle is targeting group nesting, if users has DA membership via group nesting just delete that group and they won’t be DA anymore.

These are a few reasons why I want to have Admin OU separated as a Root OU to minimize the risks of faulty delegation.

Source

Supporting Resources

+ 6

Pimp Juice IT

3/3/24, 1:23 AM

@MatthewMcDonald I deleted all my comments and posted what you're after in an answer instead. I believe this is the technical reason it works that way. You already know how to restrict that as per your latest edit on your quest post, but this explains the technicalities or the why I believe that you are seeking. This should at least give you a more accurate starting point than just saying MS doesn't explicitly state it doesn't work per the other answer you say is inaccurate. Happy technical digging Mr sysadmin!!

1

Reply

Greg Askew

3/3/24, 11:11 AM

It may help to compare this to adding or removing a group member. Many believe that modifies the user account. It does not modify the user account at all, it only modifies the group object. That is due to a backlink, which is not present here but the concept is similar. "Delete" in this context removes the link to the child from the parent. In 2023, "Protect object from accidental deletion" is more than a friend, it is a required setting to enable for any critical object, group, or account. Also not using pre-existing Account Operators that have permissions sprinkled all over the place.

0

Reply

Greg Askew

3/3/24, 11:18 AM

Also note in code, when updating the childparent of an object (OU/UserAccounts, etc), there are .Add() and .Remove() methods on DirectoryEntry.Children, which is a collection of DirectoryEntry. DirectoryEntry.Parent does not have an equivalent concept. https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directoryentry.children and https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.directoryentry.parent

0

Reply

Greg Askew

3/3/24, 11:57 AM

This behavior is also consistent with NTFS file permissions delete child semantics. A file can be deleted even if delete permission is not granted on the file itself. See: https://superuser.com/questions/815314/ntfs-permissions-deny-delete-does-not-work and: https://www.ntfs.com/ntfs-permissions-file-advanced.htm

0

Reply

Matthew McDonald

3/7/24, 4:55 PM

@PimpJuiceIT Thanks for this. This all makes sense and as my edit indicated I understood this to be the reason. I just don't understand how MS would let this happen. In no situation should anyone outside of Domain Admins/Administrators be able to delete adminSDHolder bound objects, otherwise it defeats the purpose. Anyway, I appreciate the indepth answer. I'll just leave it at that.

1

Reply

Pimp Juice IT

3/7/24, 8:48 PM

You're welcome and I'm glad you asked this question because I was never aware or tested this, and I sort of assumed AO couldn't delete DA too.... It was a surprise for me to find this out so thank you. The only thing we can do now, is only make AO's those that are trustworthy enough to not be a malicious DA deleting user. We know that the actual Administrator/Domain Administrator account cannot be deleted just others that are DA but not the Administrator itself domain account Administrator wise. Thank you for this question Matt, it has been fun learning about this!

0

Reply