Re: AD User & Inherited Permissions

Of course you are right. It is one of those things I keep meaning to do but
never actually do. It is the best thing for security though and I am
committed to make it happen this quarter.

One interesting note. I got a divine idea yesterday that I tried and it
worked. I added the service account as a Delegate in Outlook with full
rights to my inbox. After I did that I was able to send from my mobile
device.

Thanks for your help,

Jim

"Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx> wrote in message
news:exfOG4WWIHA.2000@xxxxxxxxxxxxxxxxxxxxxxx
Ah. So, this is bad.

You should not be using your normal user account for administrative stuff.

Make yourself an account like $jim and put it in the admin groups. Take
your personal account out, clear the admincount attribute (set it to 0),
and set permissions to inherit.

Do everything you need to do with a runas command prompt and you'll be in
much better health from a security point of view.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"Jim" <jim@xxxxxxxxxxxxxxxxxxx> wrote in message
news:478e711f$0$8218$39cecf19@xxxxxxxxxxxxxxxxxxxxx
Brian,

We have added a mobile phone application and the Service Account needs to
had "Send As" rights to my user or I wont be able to send an email from
my mobile device.

I have even added the service account manually but it will be removed by
the same process that unchecks the inheritance box.

Jim

"Brian Desmond [MVP]" <brian@xxxxxxxxxxxxxxxx> wrote in message
news:OzKoU6FWIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
Well the long and short of it is that your DA account won't get the
inherited permissions.

There is a process which updates the security descriptor on any account
which is in one of the builtin admin groups every hour or so with a
default security descriptor.

What is the scenario that you have that requires these delegations
remain?

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com


"Jim" <jim@xxxxxxxxxxxxxxxxxxx> wrote in message
news:478e13b6$0$97734$39cecf19@xxxxxxxxxxxxxxxxxxxxx
I have a Domain Admin User object that is behaving strangely. It is
located in the root of the domain object. When I go into the security
tab and then select the advanced button, I notice the the inherited
permission check box is not selected. So I selected it and clicked Apply
and OK. A Couple hours latter the box is unchecked. I then manually
checked the box on all of our DC's within about 2 minutes time. Within
an hour or two the box was unchecked again. I need this Domain Admin to
receive the Inherited permissions. Where do I go from here?

Jim









.