Sunday, April 6, 2008

Domain local security groups for cross-forest security

With multi-domain forests there is a chance of access control entries being ignored when querying a Global Catalog if domain local groups for a domain other than that of the current GC are used to secure directory objects. This can include both allowing and denying access, each of which carry risks. This is mitigated somewhat as this is limited to GC read-only operations on secured Active Directory objects, but still needs to be carefully assessed before using in multi-domain forests. There are no known issues with single-domain forests.

These issues arose in the scenario of a cross-forest administration domain, where there is little choice but to use domain local groups to secure directory objects in managed domains, thereby enabling access to be granted to global/universal groups across-forests.

This goes against general Microsoft recommendation, and some research has been completed to further understand the limitations.


  1. Connecting with a cross-forest account to administer a trusting domain.
  2. The cross-forest account is a member of a global or universal group in the trusted domain
  3. The cross-forest group is a member of a trusting domain local group
  4. ACLs are applied on directory objects to the domain local group.
  5. The trusting domain is one of several domains in a forest
  6. There is an external one-way NTLM trust, with each domain in the forest being accessed (but I don't believe a forest trust would change the result)
  7. ACLs are set on a local group in the trusting domain denying access to the read a security group object.
  8. The user is a member of this cross-forest domain global group that is a member of the domain local group to deny access

The cross-forest user tries to query the secured object:

  • dsquery * "CN=SecurityGroupName,CN=Users,%domainDN%" -attr * -gc

As access is denied on this object, Dsquery reports:

  • dsquery failed:The specified directory service attribute or value does not exist.

However, to bypass the security applied to the ACE, you could target the GC query at the other trustin domain in the forest:
  • dsquery * "CN=SecurityGroupName,CN=Users,%domainDN%" -attr * -gc -s

Object is successfully enumerated as the trusting domain local ACE is ignored.

The same occurs in the scenario of granting specific access to an object that would otherwise be denied or not implicity granted.

What this does not affect:

  1. Single-domain forests. The scope of domain local is not an issue as there is only one domain.
  2. LDAP 389 operations to a domain partition on a DC, rather than a read-only GC type query.
  3. Samr/netlogon operations to a Domain Controller in the trusting domain
    Replication issues. Originally it was thought that this could cause issues with replication consistency, this is not the case and only affects security on the GC.

What this could affect:

  1. Security on automated GC usage, such as Universal group enumeration (during logon or otherwise), forest-wide searches, Exchange address-book lookups and UPN logons
  2. Security on any manually initiated GC query (such as used in the testing).


  1. Application directory partitions with a forest-wide replication scope, such as forest dns zones. It seems the 'Security descriptor reference domain' of an application partition partially solves this issue, in addition to GC not containing replicas of any application partitions and an application directory partition can't contain security principals.


  1. The user token contains universal, global and domain local groups for the user domain (cross-forest), not domain local groups in the DC domain. An impersonation token is created for the GC access, containing the forest-wide universal, domain global and domain local scope of the domain that the GC is in.
  2. The same can be seen through the GUI when connecting with ldp.exe to the a GC instance of one domain over 3268, and then browsing to the other domain tree
  3. Groups of scope domain local are partially replicated to the Global Catalog in the forest, so when viewing the security descriptor of an object that contains a domain local reference from another domain than the domain of the connected GC, the SID is easily resolved to a name. However, the token used to authenticate the GC query contains only the domain local groups in the GC's domain, not the intended trusting domain, causing the ACE to be ineffective.
  4. Exchange 2007 has some capability to automate the configuration of cross-forest Exchange administration. I assume it won't be too long before a Windows AD administration equivalent is available. There is reference to parallel groups and then using the ForeignForestFQDN Exchange setup option, I'm unsure of the outcome, but I assume it is universal->local->ACE (see Step 7 in 'How to Configure Cross-Forest Administration')
Excerpt from 'Global catalog replication' below:

A global catalog stores a replicated, read-only copy of all objects in the forest and a partial set of each object's attributes, including the security descriptor for each object. The security descriptor contains a discretionary access control list (DACL), which specifies permissions on the object. When a user connects to a global catalog and tries to access an object, an access check is performed based on the user's token and the object's DACL. Any permissions specified in the object's DACL for domain local groups that are not from the domain that the domain controller hosting the global catalog (to which the user has connected) belongs to, will be ineffective because only domain local groups from the global catalog's domain of which the user is a member are represented in the user's access token. As a result, a user may be denied access when access should have been granted, or allowed access when access should have been denied.

As a best practice, you should avoid using domain local groups when assigning permissions on Active Directory objects, or be aware of the implications if you do use them. To prevent unauthorized access to global catalog data, use global groups or universal groups instead. For information about global and universal groups, see Group scope.

Global catalog replication

DNS zone replication in Active Directory

Application directory partitions

What Is the Global Catalog?

What's New in Active Directory

How to Configure Cross-Forest Administration (Exchange 2007)

Exchange 2007 Permission Considerations

Multiple Forest Considerations in Windows 2000 and Windows Server 2003

Group Scope (2003):

Group Type and Scope Usage in Windows

Accessing resources across-forests

Accessing resources across domains

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

No comments:

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.