ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to find out who can create user accounts in an Active Directory Organizational Unit (OU) ?


Newbie

Posts: 4
Date: Jan 3, 2013
How to find out who can create user accounts in an Active Directory Organizational Unit (OU) ?
Permalink  
 


Hello Forum,

As I indicated in my other question, I am trying to find out whether or not one of our contractors has the ability to create user accounts in our Active Directory. We need to know this because of the risks asosciated with someone being able to create and user an unauthorized domain user account in our environment.

So I was trying to analyze the ACL of the OU to try and find out whether this user can create user accounts in the OU. However, there are too many security permissions in the OU's ACL and it is appearing to be very confusing, as we have delegated access based on nested security groups, and we have a hanfdul of deny permissions.

So I figured another way to get to this would be to see if thereĀ is any easy way to find out who can create user accounts in this OU? If this possible, it would save me a lot of headache, as I'm hitting a wall when I try to analyze all these permissions, especially in enumerating group memberships and keeping track of them in light of all the permissions in the various ACEs.

Any advice or pointers would be helpful.

Thank you.

Jorge



__________________

I'm digging my new Microsoft Surface Tablet.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me