Re: Wierd permissions on user accounts
- From: "Chriss3 [MVP]" <noSpamHere@xxxxxxxxxx>
- Date: Fri, 8 Apr 2005 00:45:50 +0200
Hello.
This is a know issue, you havening the behavior of KB258788.
http://support.microsoft.com/kb/258788/EN-US/
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"troy240sx@xxxxxxxxx" <troy240sxyahoocom@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i
meddelandet news:1EC95DCD-3BFB-4E32-AC9E-8D175ACACBA0@xxxxxxxxxxxxxxxx
>
>
> We are migrating from NT 4.0 to 2003 AD. We are using the ADMTv.2 tool to
> migrate computer and user accounts. While migrating accounts I have
> noticed
> that there are different permissions applied to accounts that have been
> migrated and accounts created in AD. After further investigation I also
> noticed that if you create a account in the 2003 environment and user
> dsacls
> to dump the permissions to a text file. Then on that same user account go
> into the advanced security properties, click the Default button (which is
> suppose to replace the permissions with the default settings). Now use
> dsacls to dump the new permissions to a different text file. Use FC to do
> a
> file compare and the permissions are different.
>
> Why are the permissions different between a migrated account and a AD
> created account?
>
> Why are the permissions changed when you click the default button if you
> haven't change the default permissions when you created the account?
>
> What concerns me the most is that it changes the DENY EVERYONE CHANGE
> PASSWORD permission to ALLOW EVERYONE CHANGE PASSWORD permission. I have
> logged into our domain with a Domain User account <no special
> rights/permissions> and this user was NOT able to change the password.
> The
> permissions seem to be misleading.
>
> The default button changes the following permissions.
> DENY - EVERYONE - CHANGE PASSWORD ---> REMOVED
> DENY - NT AUTHORITY\SELF - CHANGE PASSWORD ---> REMOVED
>
> C:>fc before.txt after.txt
> Comparing files BEFORE.txt and AFTER.TXT
> ***** BEFORE.txt
> READ PROPERTY
> Deny Everyone Change Password
> Deny NT AUTHORITY\SELF Change Password
> Allow Everyone Change Password
> ***** AFTER.TXT
> READ PROPERTY
> Allow Everyone Change Password
> *****
>
> Can someone confirm that this is normal? If possible I would also like a
> explanation why it works like this.
>
> NOTE: I didn't change any of the permissions up the structure of where
> this
> user account is....
.
- Follow-Ups:
- Re: Wierd permissions on user accounts
- From: troy240sx@yahoo.com
- Re: Wierd permissions on user accounts
- References:
- Wierd permissions on user accounts
- From: troy240sx@yahoo.com
- Wierd permissions on user accounts
- Prev by Date: Re: ADAM Foreign Principal Group Membership.
- Next by Date: Re: Account replication?
- Previous by thread: Wierd permissions on user accounts
- Next by thread: Re: Wierd permissions on user accounts
- Index(es):
