Re: Security Additions Disappearing

From: DK (anonymous_at_discussions.microsoft.com)
Date: 04/08/04 

Date: Thu, 8 Apr 2004 11:19:29 -0700

Update - it appears to be replication that is resetting
these items. Every 15 minutes or so, the permissions are
reset on that account, matching the replication cycle, or
approximately. Since I do not know how these servers
were originally installed and in what order, is there a
possibility that one of these NT4 DC's still thinks it is
a PDC or somehow resettting the 2000 DC's information?
I've looked at all the FSMO roles, and all are set to the
main Windows 2000 DC. We're trying to see if we can
modify rights on the NT4 boxes one at a time to see if we
can narrow it down to one of them. Still, any help or
ideas are appreciated.

>-----Original Message-----
>Willie -
>
>No, this Support account is only a member of Domain
>Users, no other groups. I've verified that nothing GPO-
>wise is resetting it, from what I can tell. If I change
>it to give the rights I want, then
Secedit /refreshpolicy
>both policies, the rights remain. We're trying to
>monitor how long it takes for the rights to disapear to
>see if it corresponds with anything else, but have not
>had much luck with that so far. Can anything be
>resetting these rights? We have no 'rogue admins' out
>there...
>
>
>>-----Original Message-----
>>Is the Support account that you are giving the users
>Send As and Receive As
>>rights a member of the built-in Administrators or
Domain
>Administrators
>>groups?
>>
>>If so that would explain why the permissions are being
>reset.
>>
>>There is a template that holds a set of permissions
that
>are applied to
>>accounts that are members of the built-in
Administrators
>or Domain
>>Administrators groups. These permissions are applied
at
>regular intervals.
>>The regular application of permissions on the users in
>the Administrators
>>group is a security feature designed to maintain
>consistent permissions on
>>those user accounts.
>>
>>--
>>Willie Ryder
>>Microsoft PSS
>>
>>wryder@online.microsoft.com
>>
>>Please do not send email directly to this alias. This
>alias is for
>>newsgroup purposes only.
>>
>>This posting is provided "AS IS" with no warranties,
and
>confers no rights.
>>"DK" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:19bcb01c41ce7$e3919ad0$a401280a@phx.gbl...
>>> Apologize for the cross-post in the Exchange forum,
but
>>> this is a mixed, odd scenario.
>>>
>>> We have a Support user/mailbox that is managed by
three
>>> other users (UserA,UserB and UserC). We started off
>>> having trouble with Send On Behalf being displayed in
>the
>>> e-mail when these users sent mail as Support. We
don't
>>> want that, as it may be a different person responding
>>> each time...nor do we want the individual user's name
>>> attached into the e-mail.
>>>
>>> So, by other advice in the Exchange forums, we added
>the
>>> Send As and Recieve As rights, as well as full mailbox
>>> rights to the Support account in Active Directory
Users
>>> and Computers (via the Security tab and Exchange
>Advanced-
>>> Mailbox Rights tab). This seemed to work out, after
>some
>>> trial and error. These users ONLY have the rights
>listed
>>> above over the Support user/mailbox. But after some
>>> amount of time (we have not yet confirmed if it is
>hours
>>> or minutes yet), the rights that we set up in the
>>> Security tab of ADUC are gone. The three added users
>>> have been removed somehow from those rights. This is
a
>>> mixed mode Windows 2000 domain (2 2K DC's and 4 NT4
>>> BDC's), and replication is slow, but doesn't appear to
>>> have any other problems. (That we can immediately see)
>>>
>>> Can any give any hints or areas to check that would
>cause
>>> something like this to happen?
>>> .
>>>
>>>
>>
>>
>>.
>>
>.
>

Relevant Pages

  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... Restricted Admins group to mitigate against what you propose Deji. ... also need to make sure the DAs in question cannot elevate their rights to EA, ... > By adding the Deny Write Permissions ACE, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... * This posting is provided "AS IS" with no warranties and confers no rights! ... his/her account from the Restricted Admin group and clears the flag? ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error "The information store could not be opened." when openin
    ... Server without missing rights. ... I did grant additional permissions to %windir% as suggested in one of the ... account. ... OutlookSpy - Outlook, CDO ...
    (microsoft.public.win32.programmer.messaging)
  • Re: AD User Objects & Permission Inheritance
    ... I went ahead and granted the Account Operators built in group rights on the adminSDholder object according to what I want the OU admins to have. ... I went ahead and enabled inheritance on the> adminSDholder object to verify that this indeed was the cause and 60> minutes ... > later all user objects began to inherit permissions again. ...
    (microsoft.public.win2000.active_directory)
Loading