AD user object ACL owner issue

[SokratisUNI]

Hello,

I've noticed a weird issue which I've been trying to solve for quite some time.
On one specific account, the owner of this object was updated to another group "Domain Admins", but PingCastle reports that the old groups still have Full rights.

I have used different tools to list all permissions, inherited or not, but cannot find why this is being reported by your tool.

Hopefully, I am not missing something obvious here :)

[SokratisUNI]

So, finally had some time and created a test VM where I reproduced the above behavior.
the steps to reproduce are:

• chose a non-admin (in this case was "kevpa") user and make him member of delegated group "Create User"
• create a new user named "Admin" under "kevpa"
• change owner of Admin newly created account to Domain Admins
• make Admin member of Domain Admins

Now at this point, SDProp should do (and it does) it's magic, but PingCastle keeps showing that user kevpa is still having "indirect access".

Attached the report created with the latest PingCastle version.

Permissions assigned to group "Create usre" are:
ad_hc_contoso.net.html.zip

Thanks for sharing this wonderfull tool!!!

[JoeDibley]

Hi there, thank you for the extra information and the report here! I have reproduced the issue but I cannot seem to immediately track down where exactly the bug is here but it is obvious that there is an issue with nested permissions vs adminsdholder protection (or just specific object permissions) and seems like it may be based on the container_hierarchy section not excluding objects that do not have inheritance enabled.

We will add this to the backlog and aim to fix this in the next 3.4 version. Will keep you updated.

[SokratisUNI]

Thank you @JoeDibley appreciate your feedback.