Monday, December 7, 2009

Sys internals AD Explorer bypasses security settings in AD

I recently found that the AD Explorer tool from Sysinternals has a different way of handling the display of OU structures.

In an active directory an OU is setup with security rights so that only administrators can view the contents. If you fire up Active Directory Users and Computers this won't show the contents of this folder as suspected.

Since I also use alternative tools to do thing I also us AD Explorer. Since a collegue had trouble seeing the contents of hte OU, I found that I was able to view the contents of the OU. This is strange since we have similar user rights.

I haven't found out yet why AD explorer behaves different apposed to the native tooling. Especially since Microsoft acquired Systinternals and the tools are placed on technet.

Today I was unable to access the same OU. The only thing changed is that all members are now changed with security rights to only be visible to administrators. Looks like that when an object in an OU is visible to the user, AD Explorer will open the OU to show this object (and all others)

No comments:

Post a Comment