ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
ACTIVE DIRECTORY SECURITY CHECKLIST ... - Leet Upload
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Active Directory Checklist, V1R1.2 Field Security Operations<br />
22 September 2006 Defense Information Systems Agency<br />
DS10.0270 Domain Object Ownership Quota [Windows Server 2003 only]<br />
STIG ID \ V-Key DS10.0270 \ V0008552<br />
Severity Cat IV<br />
Short Name Domain Object Ownership Quota<br />
IA Controls ECLP-1<br />
MAC /Conf 1-CSP, 2-CSP, 3-CSP<br />
References AD STIG 2.3.3.6<br />
Long Name: An object ownership quota has not been assigned to accounts that have been<br />
delegated the right to create AD objects, but are not members of Windows built-in<br />
administrative groups.<br />
Checks:<br />
Note: This check is Not Applicable for domains that contain no Windows Server<br />
2003 domain controllers.<br />
This check must be performed on a Windows Server 2003 domain controller.<br />
• Review the local documentation for the list of accounts *not* in Windows built-in<br />
administrative groups (such as Administrators) that have been delegated the<br />
ability to create users or groups. [The Delegation of Control Wizard is one<br />
method used to create such accounts.]<br />
• At a command line prompt enter:<br />
“dsquery quota domainroot”<br />
- If there is any output, at a command line prompt enter:<br />
“dsquery quota domainroot | dsget quota -acct -qlimit”<br />
• Note the quotas established for each of the users with delegated authority or<br />
the default for the domain partition.<br />
• If users with delegated authority exist and there is no domain-wide or userspecific<br />
quota established, then this is a Finding.<br />
UNCLASSIFIED<br />
5-26