Re: Wierd permissions on user accounts


That makes sense but why are the permissions different between a newly
created account and the permissions on that same account after using the
Default button? Wouldn't the default permissions be the permissions that
were assigned to it by default (upon creation)?

On account created in AD, by default, it has DENY EVERYONE and SELF CHANGE
PASSWORD. After you click the default button these are removed.

According to Q258788 (which is for 2000 not 2003) users would not be able to
change their password without being logged on. Since DENY EVERYONE and SELF
CHANGE PASSWORD is the default for an account created in AD, I can expect to
see this problem on new accounts created in AD (not migrated) because a DENY
on the user will always be the effective permission, right? If this is true,
your saying that everyone account that is created in AD does not have the
correct permissions assigned to it and needs to be change when the account is
created?

Am I understanding this correctly? Is this going to be fix in a hotfix or
service pack?

"Chriss3 [MVP]" wrote:

> Hello.
> This is a know issue, you havening the behavior of KB258788.
> http://support.microsoft.com/kb/258788/EN-US/
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "troy240sx@xxxxxxxxx" <troy240sxyahoocom@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i
> meddelandet news:1EC95DCD-3BFB-4E32-AC9E-8D175ACACBA0@xxxxxxxxxxxxxxxx
> >
> >
> > We are migrating from NT 4.0 to 2003 AD. We are using the ADMTv.2 tool to
> > migrate computer and user accounts. While migrating accounts I have
> > noticed
> > that there are different permissions applied to accounts that have been
> > migrated and accounts created in AD. After further investigation I also
> > noticed that if you create a account in the 2003 environment and user
> > dsacls
> > to dump the permissions to a text file. Then on that same user account go
> > into the advanced security properties, click the Default button (which is
> > suppose to replace the permissions with the default settings). Now use
> > dsacls to dump the new permissions to a different text file. Use FC to do
> > a
> > file compare and the permissions are different.
> >
> > Why are the permissions different between a migrated account and a AD
> > created account?
> >
> > Why are the permissions changed when you click the default button if you
> > haven't change the default permissions when you created the account?
> >
> > What concerns me the most is that it changes the DENY EVERYONE CHANGE
> > PASSWORD permission to ALLOW EVERYONE CHANGE PASSWORD permission. I have
> > logged into our domain with a Domain User account <no special
> > rights/permissions> and this user was NOT able to change the password.
> > The
> > permissions seem to be misleading.
> >
> > The default button changes the following permissions.
> > DENY - EVERYONE - CHANGE PASSWORD ---> REMOVED
> > DENY - NT AUTHORITY\SELF - CHANGE PASSWORD ---> REMOVED
> >
> > C:>fc before.txt after.txt
> > Comparing files BEFORE.txt and AFTER.TXT
> > ***** BEFORE.txt
> > READ PROPERTY
> > Deny Everyone Change Password
> > Deny NT AUTHORITY\SELF Change Password
> > Allow Everyone Change Password
> > ***** AFTER.TXT
> > READ PROPERTY
> > Allow Everyone Change Password
> > *****
> >
> > Can someone confirm that this is normal? If possible I would also like a
> > explanation why it works like this.
> >
> > NOTE: I didn't change any of the permissions up the structure of where
> > this
> > user account is....
>
>
>
.