Re: Security Additions Disappearing

From: DK (anonymous_at_discussions.microsoft.com)
Date: 04/13/04 

Date: Tue, 13 Apr 2004 10:58:51 -0700

Teresa - Thank you for the additional information!
Unfortunately, this is a newly created account, though it
has been renamed to replace the original. I checked,
using ADSIEdit, and it does not have a value set for the
msExchMasterAccountSid attribute.

Yes, this is a mixed mode environment, and we have not
been able to remove the NT4 BDC's yet. The delegate
accounts are AD accounts as well (some migrated, some
new), and I do not know their status at time of
migration. It was before we were involved.

We're beginning to test out some possibilities with the
BDC's, but any further information would be of huge
help! Thank you!

>-----Original Message-----
>You mentioned that you're in mixed mode. Are the
delegate accounts in AD?
>Are they enabled or disabled, and if they are enabled,
were they disabled
>when you migrated them from 5.5?
>
>There is a known case where permissions get reset. If
you started out your
>migration process by creating disabled user accounts in
AD, then enabled
>those accounts, make sure that the process that enabled
the accounts also
>cleared the msExchMasterAccountSid attribute. This
attribute only has a
>value on disabled accounts. If it has a value on an
enabled account, you'll
>see odd behaviors like resetting permissions.
>
>--
>Teresa Appelgate
>Exchange User Education
>
>****** Disclaimers ******
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>Please do not send email directly to this alias. This
alias is for newsgroup
>purposes only.
>
>
>"DK" <anonymous@discussions.microsoft.com> wrote in
message
>news:1a26601c41d96$08907000$a401280a@phx.gbl...
>> Update - it appears to be replication that is resetting
>> these items. Every 15 minutes or so, the permissions
are
>> reset on that account, matching the replication cycle,
or
>> approximately. Since I do not know how these servers
>> were originally installed and in what order, is there a
>> possibility that one of these NT4 DC's still thinks it
is
>> a PDC or somehow resettting the 2000 DC's information?
>> I've looked at all the FSMO roles, and all are set to
the
>> main Windows 2000 DC. We're trying to see if we can
>> modify rights on the NT4 boxes one at a time to see if
we
>> can narrow it down to one of them. Still, any help or
>> ideas are appreciated.
>>
>>
>>
>> >-----Original Message-----
>> >Willie -
>> >
>> >No, this Support account is only a member of Domain
>> >Users, no other groups. I've verified that nothing
GPO-
>> >wise is resetting it, from what I can tell. If I
change
>> >it to give the rights I want, then
>> Secedit /refreshpolicy
>> >both policies, the rights remain. We're trying to
>> >monitor how long it takes for the rights to disapear
to
>> >see if it corresponds with anything else, but have not
>> >had much luck with that so far. Can anything be
>> >resetting these rights? We have no 'rogue admins' out
>> >there...
>> >
>> >
>> >>-----Original Message-----
>> >>Is the Support account that you are giving the users
>> >Send As and Receive As
>> >>rights a member of the built-in Administrators or
>> Domain
>> >Administrators
>> >>groups?
>> >>
>> >>If so that would explain why the permissions are
being
>> >reset.
>> >>
>> >>There is a template that holds a set of permissions
>> that
>> >are applied to
>> >>accounts that are members of the built-in
>> Administrators
>> >or Domain
>> >>Administrators groups. These permissions are applied
>> at
>> >regular intervals.
>> >>The regular application of permissions on the users
in
>> >the Administrators
>> >>group is a security feature designed to maintain
>> >consistent permissions on
>> >>those user accounts.
>> >>
>> >>--
>> >>Willie Ryder
>> >>Microsoft PSS
>> >>
>> >>wryder@online.microsoft.com
>> >>
>> >>Please do not send email directly to this alias.
This
>> >alias is for
>> >>newsgroup purposes only.
>> >>
>> >>This posting is provided "AS IS" with no warranties,
>> and
>> >confers no rights.
>> >>"DK" <anonymous@discussions.microsoft.com> wrote in
>> >message
>> >>news:19bcb01c41ce7$e3919ad0$a401280a@phx.gbl...
>> >>> Apologize for the cross-post in the Exchange forum,
>> but
>> >>> this is a mixed, odd scenario.
>> >>>
>> >>> We have a Support user/mailbox that is managed by
>> three
>> >>> other users (UserA,UserB and UserC). We started
off
>> >>> having trouble with Send On Behalf being displayed
in
>> >the
>> >>> e-mail when these users sent mail as Support. We
>> don't
>> >>> want that, as it may be a different person
responding
>> >>> each time...nor do we want the individual user's
name
>> >>> attached into the e-mail.
>> >>>
>> >>> So, by other advice in the Exchange forums, we
added
>> >the
>> >>> Send As and Recieve As rights, as well as full
mailbox
>> >>> rights to the Support account in Active Directory
>> Users
>> >>> and Computers (via the Security tab and Exchange
>> >Advanced-
>> >>> Mailbox Rights tab). This seemed to work out,
after
>> >some
>> >>> trial and error. These users ONLY have the rights
>> >listed
>> >>> above over the Support user/mailbox. But after
some
>> >>> amount of time (we have not yet confirmed if it is
>> >hours
>> >>> or minutes yet), the rights that we set up in the
>> >>> Security tab of ADUC are gone. The three added
users
>> >>> have been removed somehow from those rights. This
is
>> a
>> >>> mixed mode Windows 2000 domain (2 2K DC's and 4 NT4
>> >>> BDC's), and replication is slow, but doesn't
appear to
>> >>> have any other problems. (That we can immediately
see)
>> >>>
>> >>> Can any give any hints or areas to check that would
>> >cause
>> >>> something like this to happen?
>> >>> .
>> >>>
>> >>>
>> >>
>> >>
>> >>.
>> >>
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: Install new hardware for SBS 2003
    ... I agree Cliff and having done a Swing migration myself I can attest to the ... his plan would not work. ... then the new accounts would obviously cause a mismatch...and ... have to get the current Exchange mail over too. ...
    (microsoft.public.windows.server.sbs)
  • Re: AD merge with exchange 2007 srv, can ADMT do it?
    ... > ADMT will do user and computer account migration. ... > "Exchange cross forest migration" and you will find some documentations. ... I usually do put together step by step docs such as this, to help folks in the newsgroups, but I haven't yet with this procedure because besides being scattered and the procedure having many facets, my notes are customer specific with domain names, user accounts, passwords, etc, that it will take me some time to go through to compile it into one doc, and I do apologize I am short on time to do anything with this at this point. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SID Hitory Not Working after ADMT 3 Migration
    ... As you said "Which is located on the user accounts profile tab", ... SID Hitory Not Working after ADMT 3 Migration ... Sid history via groups is working. ...
    (microsoft.public.windows.server.migration)
  • RE: Would like to "collapse" a trusted domain
    ... Thank you for posting in newsgroup. ... Is there any easy way to get their user accounts, ... How to use Active Directory Migration Tool version 2 to migrate from ... Windows 2000 to Windows Server 2003 ...
    (microsoft.public.windows.server.migration)
  • RE: Exchange 5.5 to 2003 co-exist question
    ... Use ADMT with SID history for the migration. ... after the ADMT you should get no additional accounts in AD ... Move the Exchange 5.5 Mailboxes fast to 2003. ...
    (microsoft.public.exchange.admin)