Re: User objects not inheriting permissions
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Fri, 17 Mar 2006 14:11:04 +0100
are those users member of protected groups or are those users member of
groups that are members of protected groups. Or have been member of?
most probably it is the adminsdholder that is bugging you
Every hour, the Microsoft Windows domain controller that has the primary
domain controller (PDC) emulator operations master role verifies the ACLs on
members of these administrative groups and compares them to the ACL on the
AdminSDHolder object. If the ACL that is on the AdminSDHolder object is
different, the ACLs on the members of the administrative group are reset to
match the ACL on the AdminSDHolder object.
For more info on the ADMINSDHOLDER object see the following related KB
articles (not all may apply to your situation!)
Description and Update of the Active Directory AdminSDHolder Object
--> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
--> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
Delegated permissions are not available and inheritance is automatically
disabled
--> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
--> MS-KBQ306398 (http://support.microsoft.com/?id=306398)
Security tab of the adminSDHolder object does not display all properties
--> MS-KBQ301188 (http://support.microsoft.com/?id=301188)
"You do not have sufficient permissions in the Domain" error message occurs
and Exchange Setup does not respond
--> MS-KBQ319966 (http://support.microsoft.com/?id=319966)
Certification Authority configuration to publish certificates in Active
Directory of trusted domain
--> MS-KBQ281271 (http://support.microsoft.com/?id=281271)
also look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"H_stressed" <dont_reply@xxxxxxx> wrote in message
news:49A3469F-0734-4C76-BB7D-A9F19E9C9357@xxxxxxxxxxxxxxxx
Hi, I've delegated control to different OUs within a large AD as
necessary.
Upon testing I found that those users who should have "full control" could
create and manage objects, but could not edit objects (such as users and
groups) that existed before I delegated control.
On investigation it appears that the vast majority of the the user objects
have the "allow inheritable permissions from the parent to propogate to
this
object.." unticked. To manually change this on every object will take a
very
long time!
Two questions therefore:
1. Can anyone give a resons who these objects have this value unticked?
2. Is there a way that I can automate the necessary process?
To answer some of the likely questions it's functionality is 2003 (no 2000
servers). It's a child domain with 5 DCs.
Thanks
.
- Follow-Ups:
- Re: User objects not inheriting permissions
- From: H_stressed
- Re: User objects not inheriting permissions
- Prev by Date: Re: Flat domain to start off?
- Next by Date: Re: ADAM sync problem
- Previous by thread: How can I get AD to ADAM sync works?
- Next by thread: Re: User objects not inheriting permissions
- Index(es):
Relevant Pages
|
