Re: adminSDholder and permissions resets

"Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx> wrote in
news:63f0j254o924p83j43f43f37ljpm7b1ea7@xxxxxxx:

bruce <badiii@xxxxxxxxxxxx> wrote:

I applied a recent Exchange hotfix that affected the SendAs
permissions required for Blackberry services to work. I granted SendAs
permissions to the BESADMIN service on the domain level.

I found that despite this, permissions for most of IT kept getting
reset, and the besadmin account was being removed. I finally figured
out that these IT accounts were all members of Account Operators,
which is associated with the adminSDHolder object and the permissions
reset every hour.

I removed a couple of us from the Account Operators group a couple
days ago, but our permissions still get reset. The accounts are not
members of any other builtin groups. Why is this happening? How can I
disassociate these acccounts from adminSDholder?

MS tech support's best suggestion is to create new accounts and move
all mail, etc over to them. what a great idea :(


See if this KB article helps:

Delegated permissions are not available and inheritance is
automatically disabled [817433]


Thank you. It does help show the problem, but not why. I used the ldifde
example to list all my accounts that have the admincount set to 1.
However, the problem I see is that once an account has been in an
adminSDholder protected group and then removed, it is still being reset
from inheriting permissions, even after I explicitly allow inheritance. I
actually have an account that is currently only in "Domain Users", but it
used to be in Administrators. Nonetheless, it shows up with admincount=1.
Do you have any idea why this is still set even when I remove my accounts
from those groups? Any idea how to remove that setting manually? TIA
.

Relevant Pages

  • Re: Delegate Control... Reset Passwords
    ... Also, If I check the Security properties of an actual user account, I don't ... PCAdmins from the "Print Operators" group, ... that Read and Write permissions in pwdLastSet attribute. ... RESET USER PASSWORDS ...
    (microsoft.public.windows.server.active_directory)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied ... I then added full permissions to my user account on both of these keys, ... that's for every app pool you create for every new web app on the ... local admin rights to the server hosting incoming email. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Win2k - Account Operator not working properly
    ... You very likely have other ACL issues other than what was mentioned and I can point them out here for you for free or you can pay someone $200-500 an hour to come check it out. ... In order for that to result in inheritence protection it means the schema had to be modified. ... set the account in the GUI to inherit from its parents. ... Used the delegation wizard, on the top level OU, to assign the desired permissions. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)