Re: AD User Objects & Permission Inheritance

From: Arcom (Arcom_at_discussions.microsoft.com)
Date: 02/01/05 

Date: Tue, 1 Feb 2005 11:27:02 -0800

I went ahead and granted the Account Operators built in group rights on the
adminSDholder object according to what I want the OU admins to have. I will
add the OU Admins to the Account Operators built in group and this should
solve the problem with the least amount of security weakening. If anyone sees
a flaw in this thought process please mention it. Thanks in advance.

"Arcom" wrote:

> Thanks for all the help. I went ahead and enabled inheritance on the
> adminSDholder object to verify that this indeed was the cause and 60 minutes
> later all user objects began to inherit permissions again. At this point I
> will look into the best way to provide a "middle ground" solution so as not
> to open up all user accounts to inheritance but at the same time allowing the
> necessary OU admins the proper rights to its users. My only remaining
> question that I was not able to clearly answer through the responses or KB
> article is whether every single user under an OU that contains a protected
> user account gets inheritance disabled because of that one protected account?
> Reason I ask is because certaion OU's contain only a handlful of customer
> service users that have never been in a protected group yet they too were not
> inherating permissions. Thanks again for all your time and information.
>
> "ptwilliams" wrote:
>
> > Personally, I don't think method two is suitable. The adminSDHolder object
> > is there for a reason. After all, this behaviour is by design. In many
> > environments, setting the inherit flag will add a lot of additional,
> > unnecessary permissions to the protected accounts.
> >
> > If you have the need to delegate control to a user or group to administer
> > users in an OU, and in that OU reside other protected users you have two
> > choices -remove them from those protected groups (most of the time they are
> > members for legacy reasons, and should no longer be in there); or delegate
> > the control to an existing admin-type person, i.e. one of the protected
> > group members -you can then grant that user or protected group to which he/
> > she belongs permissions to the adminSDHolder object.
> >
> > If neither of these suit your needs, I would apply the permissions that you
> > applied to the OU in question to the adminSDHolder object. This is better
> > than simply allowing the adminSDHolder to inherit permissions, as you are
> > still limiting access to these protected users.
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "Desmond Lee" <mcp@donotspamplease.mars> wrote in message
> > news:BD1A4EDE-EE11-4979-9FB2-B5A6D42009F2@microsoft.com...
> > Do you have Win 2000 SP4 installed and the phenomenon happened recently /
> > intermittently?
> >
> > Are these admins also members of a security group within the OU delegated
> > rights to manage the OU?
> >
> > See
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
> >
> > Method 2 in the KB would be the less disruptive resolution to this
> > 'security' problem.
> >
> > Do let us know if it helps. Thanks!
> >
> > "Arcom" wrote:
> >
> > > I noticed something when one of the users in charge of an OU reported he
> > > could no longer modify the user objects. The user rights were not
> > > inheriting
> > > permissions from its parent OU's. I enabled the Inherit permissions check
> > > box
> > > and the next day it was disabled again. Then I went looking at all other
> > > user
> > > objects in the different OU's and some OU's had users with permission
> > > inheritance enabled and other OU's user objects had inheritance disabled.
> > > How
> > > would this be? Is there a setting in a GPO somewhere to control this? It
> > > seems so sporadic and it makes it hard to pinpoint.
> >
> >
> >

Relevant Pages

  • Re: Permissions resetting in Blocked Inheritance OUs
    ... If the ACL that is on the AdminSDHolder object is ... Delegated permissions are not available and inheritance is automatically ... "You do not have sufficient permissions in the Domain" error message occurs ... This user account is in an OU that has Blocked ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem managing accounts in protected groups
    ... we have two domain admins: ... that someone will give more security permissions to users then to the admins. ... I think you have realized that the account management group is able to reset ... Most members of OU A are either members of Domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Problem managing accounts in protected groups
    ... For you administrator accounts create an own OU directly under the domain name and place there the domain admin accounts without any restrictions through policies or whatever. ... And create for them a normal domain user account for the daily work with normal restrictions like any other user. ... If now the account under the Administrators OU is locked another one from that OU can easily unlock them without any problem, because they all are domain admins in that OU. ... heard about that someone will give more security permissions to users ...
    (microsoft.public.windows.server.active_directory)
  • RE: Help: SBS 2003 Exchange Send As permissions not working (and disappearing!)
    ... It seems to be related to the AD AdminSDHolder resetting the permissions ... 318180 AdminSDHolder Thread Affects Transitive Members of Distribution ... Schema Admins ... You have mentioned that one account can work well with "send as". ...
    (microsoft.public.windows.server.sbs)
  • Re: Problem managing accounts in protected groups
    ... "Meinolf Weber" wrote: ... For your admins, you should think about using this way. ... they can choose RUN AS option for that and use the domain administrator account. ... heard about that someone will give more security permissions to users ...
    (microsoft.public.windows.server.active_directory)