Re: adminSDholder and permissions resets

From: "Rich Matheisen [MVP]" <richnews@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 17 Oct 2006 17:28:47 -0400

bruce <badiii@xxxxxxxxxxxx> wrote:

[ snip ]

See if this KB article helps:

Delegated permissions are not available and inheritance is
automatically disabled [817433]

Thank you. It does help show the problem, but not why. I used the ldifde
example to list all my accounts that have the admincount set to 1.
However, the problem I see is that once an account has been in an
adminSDholder protected group and then removed, it is still being reset
from inheriting permissions, even after I explicitly allow inheritance.

That's what the script (just above the ldifde command in the KB
article) does -- allows inheritence and resets the adminCount. But the
script isn't selective, it resets them for everyone. You'd probably
want to alter the script to verify that the users with adminCount set
to 1 are still members of protected groups before resetting things, or
provide the script with a list of DNs to alter instead of changing
them all.

I
actually have an account that is currently only in "Domain Users", but it
used to be in Administrators. Nonetheless, it shows up with admincount=1.
Do you have any idea why this is still set even when I remove my accounts
from those groups?

'Coz that's the way MS coded it?

Any idea how to remove that setting manually? TIA

Sure -- see the script.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

References:
- adminSDholder and permissions resets
  - From: bruce
- Re: adminSDholder and permissions resets
  - From: Rich Matheisen [MVP]
- Re: adminSDholder and permissions resets
  - From: bruce

Prev by Date: Re: Public folders will not recieve external email
Next by Date: Re: Exchange 2003: Deleted Mailbox Retention Policy
Previous by thread: Re: adminSDholder and permissions resets
Next by thread: Stop Writing to Event Log?
Index(es):
- Date
- Thread

Relevant Pages

Re: How to get rid of "duration", "dimension", "quality" columns in explorer
... I've written a script that will apply all the view customizations you can set to all of a folder's ... You can select a folder & configure its view settings, then those are set to be inherited by all ... non-grouped view to be the default inheritance for My Computer, then return My Computer to its ...
(microsoft.public.windowsxp.customize)
Re: Help needed with folders
... I've written a script that will apply all the view customizations you ... You can select a folder & configure its view settings, ... non-grouped view to be the default inheritance for My Computer, ...
(microsoft.public.windowsxp.customize)
Re: Changes to ACL disappear
... Implementing Method 2 did allow inheritance on all "protected groups" but it ... AdminCount attribute from 1 to 0 for administrative accounts (which the ... >> for adminSDHolder. ...
(microsoft.public.windows.server.security)
Re: Delegates page is not Availuable...
... same inheritance button that related to the email address in Exchange 2003... ... point) a member of a "protected group". ... If it does then the user isn't a member of a protected ... You need to decide what accounts are used for "normal" work and what ...
(microsoft.public.exchange.admin)
Re: Capital Letters or Uppercase Letters
... "Michael Harris " <mikhar at mvps dot org> wrote in message ... It's HTML with some inline CSS. ... I guess inheritance isn't supported in IE? ... Technet Script Center - http://www.microsoft.com/technet/scriptcenter/ ...
(microsoft.public.scripting.vbscript)