joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Hey Microsoft… Is the AD Delegation for Computer Objects Broken?

by @ 11:09 pm on 3/17/2023. Filed under tech

Is https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8 an admission that AD Delegation for computer objects is broken?

The whole fix and the previous versions of the fixes were to override who can re-use an existing computer account. Theoretically, if your AD security is properly delegated and you turned off that silly anyone can join a computer if they have joined less than X machines to it quota business (ms-DS-MachineAccountQuota) then the only people who should be able to re-use a machine account are only the people you have delegated rights to to create/delete/join the machine account. This is usually something you do at an OU or possibly if you are a little quirky and like to do things different, container level. So you set up that delegation to the people who “own” the support of the machines in that OU and you move on with your life.

Along comes this change were MSFT starts blowing people up by changing how the delegation works outside of the delegation model. It was quite irritating I will say. WTF do we have the delegation model then?

So now the latest fix has you specifying people you trust to reuse computer objects in AD which again, is probably the same people you delegated the access to in the first place. So you think, well this is just stupid, I have previously delegated access to X number of different OUs to X number of different groups in each domain. Now I have to also add them to a GPO??? Why wasn’t the first delegation to show I trusted them good enough?

And then they even go further and write in the KB…

image

So if authenticated users, everyone, and other large groups already didn’t have rights to touch the machine accounts via your properly built delegation model, why is this suddenly important? And why does this apparently override the delegation model? Since I have this properly delegated already I should be able to put in Everyone just fine because, again, the delegation model works correctly right? Or maybe it doesn’t???

Hey Microsoft… Are you admitting in this KB and Security Fix that the AD delegation model for computer objects is broken?

Rating 4.60 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]