if this is normal or not really depends on the security you've set in your AD or on the objects. With the default permissions this doesn't work (i.e. would it not be normal), since a "normal" user can only edit specific attributes on his own account object (everything that's granted to be writable to SELF - which is actually more than 40 attributes, so it's quite a lot)
The easiest way to find the difference to the default security is to know the default security descriptor as it's set on newly created objects (either check out on user-class in schema of newly installed AD or read the AD Delegation WP http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-4 8fa-9730-dae7c0a1d6d3&DisplayLang=en) Then compare to what permissions your objects have been granted - take special care to check the permissions for Authenticated Users... /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Mittwoch, 14. Juli 2004 20:18 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] User changing account properties Users seem to be able to use the windows XP built in people search to change other users AD attributes. I assume this isn't normal. Is there a tool I can use to find differences from the default AD attributes security. This is a windows 2000 AD. Thank you jb List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
