We want to implement a user management policy that protects the password hashes of active directory user accounts. As such we want to grant our account administrators rights to those OUs that they should have access to. Is it necessary to grant each specific
field in active directory specifically, or is it OK to use GA and GRGW to grant these users the rights they need. For example:
dsacles <TargetOU> /I:S /T <AdminGroup>:CC;user;
dsacles <TargetOU> /I:S /T <AdminGroup>:DC;user;
dsacles <TargetOU> /I:S /G <AdminGroup>:GRGW;;user
dsacles <TargetOU> /I:S /G <AdminGroup>:GA;;user
What we would like as an end result is that within a specified OU, a designated group could modify any field, create and delete users, reset passwords, but they cannot read or dump the password hash. When we just do GRGW, we notice most fields are not selected, and we don't really want to specify every individual field unless that is necessary to protect the password hash.
dsacles <TargetOU> /I:S /T <AdminGroup>:CC;user;
dsacles <TargetOU> /I:S /T <AdminGroup>:DC;user;
dsacles <TargetOU> /I:S /G <AdminGroup>:GRGW;;user
dsacles <TargetOU> /I:S /G <AdminGroup>:GA;;user
What we would like as an end result is that within a specified OU, a designated group could modify any field, create and delete users, reset passwords, but they cannot read or dump the password hash. When we just do GRGW, we notice most fields are not selected, and we don't really want to specify every individual field unless that is necessary to protect the password hash.
