Re: Problems with assigning permissions
- From: Altria <Altria@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Feb 2006 14:28:18 -0800
"Altria" wrote:
"Jorge de Almeida Pinto [MVP]" wrote:
for the objects that they cannot reset passwords. Is the inheritanceThanks Jorge,
checkbox unchecked? If yes, are those users member of any default admin
groups? (e.g. account operators, etc.) (or are they member of any group
where that group is a member of a default admin group)
If yes, then the issue here is the adminsdholder object that protects any
the protected groups and all of its members.
Every hour, the Microsoft Windows domain controller that has the primary
domain controller (PDC) emulator operations master role verifies the ACLs on
members of these administrative groups and compares them to the ACL on the
AdminSDHolder object. If the ACL that is on the AdminSDHolder object is
different, the ACLs on the members of the administrative group are reset to
match the ACL on the AdminSDHolder object.
See:
For more info on the ADMINSDHOLDER object see the following related KB
articles (not all may apply to your situation!)
Description and Update of the Active Directory AdminSDHolder Object
--> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
--> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
Delegated permissions are not available and inheritance is automatically
disabled
--> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"Altria" <urbantec92@xxxxxxx> wrote in message
news:%23Cc7pRyNGHA.2624@xxxxxxxxxxxxxxxxxxxxxxx
Hello All,
Some of the administrators are not able to reset passwords of users. I
have delegated control of the OU to these users yet it still tells them
that they do not have permission.
Most of my admins are running adminpak and connecting to AD users and
computers mmc template. Any reasons why they would not be able to do this?
Thanks,
Altria
My environment is win2k3/win2k with xpsp2 clients. I do not have a check on
the inheritence tab and the "admins" are not part of any protected gourp (by
this I assume u mean any built-in security groups?)
I would like them to have access only to certain OUs without given them any
permissions from the top level domain.
BTW, these "admins" are connecting remotely from thier pcs to AD using
Adminpak.
What exact groups should I put them in in order for this to happen?
TIA,
Altria
Thanks again Jorge,
After reading AdminSDholder under technet< i didnt remeber that these users
who i delegated permissions to were trying to reset passwords for a security
group account which was a member of the built-in security principle.
thanks again
Altria
.
- References:
- Problems with assigning permissions
- From: Altria
- Re: Problems with assigning permissions
- From: Jorge de Almeida Pinto [MVP]
- Re: Problems with assigning permissions
- From: Altria
- Problems with assigning permissions
- Prev by Date: Error 1085
- Next by Date: Re: remote desktop
- Previous by thread: Re: Problems with assigning permissions
- Next by thread: remote desktop
- Index(es):
Relevant Pages
|
