What is the $SpecialGroupsPolicy in Directory and Resource Administrator? (NETIQKB308)

  • 7700308
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

Goal

What is the $SpecialGroupsPolicy in Directory and Resource Administrator?

How do I restrict some actions on special groups and their members?

How do I remove restrictions of some actions on special groups and their members?

What validation logic does Directory and Resource Administrator use to determine whether an action is permitted on a special group or its members?

Fact

Directory and Resource Administrator 6.x
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x

Fix

Directory and Resource Administrator (DRA) uses the policy $SpecialGroupsPolicy (which is enabled by default) to restrict some actions on special groups and their members. If you do not want to restrict actions on special groups and their members, you can disable this policy using the Business Rules and Policy snap-in from the MMC interface or by disabling the policy in the Delegation and Configuration console/Policies.

When the special groups policy is in effect, Directory and Resource Administrator uses the following validation logic to determine whether an action is permitted on a special group or its members:

  • If the Assistant Admin is a Windows NT or Windows 2000\2003 administrator, the Assistant Admin can perform actions on special groups and their members for which the Assistant Admin has the appropriate power.
  • If the Assistant Admin is a member of a special group, the Assistant Admin can perform actions on the same special group and its members, as long as the Assistant Admin has the appropriate power.
  • If the Assistant Admin is not a member of a special group, the Assistant Admin cannot modify a special group or its members.

This policy is designed to prevent escalation of powers. For example, if the Assistant Admin can change the password of a user in the Administrators group, s/he can then log on as that user and gain the access that the Administrator group provides. Thus to provide a more secure environment, Directory and Resource Administrator treats the following groups in this special manner:

    Windows NT

    • Administrators
    • Domain Admins
    • Print Operators
    • Backup Operators
    • Account Operators

    Windows 2000\2003

    • Administrators
    • Domain Admins
    • Print Operators
    • Backup Operators
    • Account Operators
    • Cert Publishers
    • DNS Admins
    • Enterprise Admins
    • Group Policy Creator Owners
    • Schema Admins
Note

See: NETIQKB11895: 'How can I exclude certain 'Special' or 'Built-In' groups from ActiveViews?'

Additional Information

Formerly known as NETIQKB308