Re: AD User & Inherited Permissions
- From: "Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx>
- Date: Thu, 17 Jan 2008 20:03:53 -0500
Ah. So, this is bad.
You should not be using your normal user account for administrative stuff.
Make yourself an account like $jim and put it in the admin groups. Take your
personal account out, clear the admincount attribute (set it to 0), and set
permissions to inherit.
Do everything you need to do with a runas command prompt and you'll be in
much better health from a security point of view.
--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services
www.briandesmond.com
"Jim" <jim@xxxxxxxxxxxxxxxxxxx> wrote in message
news:478e711f$0$8218$39cecf19@xxxxxxxxxxxxxxxxxxxxx
Brian,
We have added a mobile phone application and the Service Account needs to
had "Send As" rights to my user or I wont be able to send an email from my
mobile device.
I have even added the service account manually but it will be removed by
the same process that unchecks the inheritance box.
Jim
"Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx> wrote in message
news:OzKoU6FWIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Well the long and short of it is that your DA account won't get the
inherited permissions.
There is a process which updates the security descriptor on any account
which is in one of the builtin admin groups every hour or so with a
default security descriptor.
What is the scenario that you have that requires these delegations
remain?
--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services
www.briandesmond.com
"Jim" <jim@xxxxxxxxxxxxxxxxxxx> wrote in message
news:478e13b6$0$97734$39cecf19@xxxxxxxxxxxxxxxxxxxxx
I have a Domain Admin User object that is behaving strangely. It is
located in the root of the domain object. When I go into the security tab
and then select the advanced button, I notice the the inherited
permission check box is not selected. So I selected it and clicked Apply
and OK. A Couple hours latter the box is unchecked. I then manually
checked the box on all of our DC's within about 2 minutes time. Within an
hour or two the box was unchecked again. I need this Domain Admin to
receive the Inherited permissions. Where do I go from here?
Jim
.
- Follow-Ups:
- Re: AD User & Inherited Permissions
- From: Jim
- Re: AD User & Inherited Permissions
- References:
- AD User & Inherited Permissions
- From: Jim
- Re: AD User & Inherited Permissions
- From: Brian Desmond [MVP]
- Re: AD User & Inherited Permissions
- From: Jim
- AD User & Inherited Permissions
- Prev by Date: Re: Rename Domain Controller DC
- Next by Date: Re: login Scripts not running
- Previous by thread: Re: AD User & Inherited Permissions
- Next by thread: Re: AD User & Inherited Permissions
- Index(es):
