Re: Permissions resetting in Blocked Inheritance OU's
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 13 Apr 2006 21:26:39 -0400
Sounds like a couple of things. First and foremost it sounds like adminSDHolder functionality. Your director shouldn't have enhanced rights in the directory and that is what causes that, he should have a normal user account. If he needs high level rights, he gets another account with those rights that doesn't have email access. That goes for everyone, admins, execs, you name it.
Now the odd SID is probably a weird ACE on the adminSDHolder object, read up on that and this will probably make more sense.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Craig Barraclough wrote:
I have been trying to grant the "Send As" security permission to a directors account for his PA. This user account is in an OU that has Blocked Inheritance in group policy..
I can add the PA's account to the ACL and assign the send as permission.
If i leave the account for a little while and go back to it the PA's account has been replaced with an unrecognised account with just a SID and different permissions.
Initial i thought it was inheriting permissions but the inherit permissions box is unticked, and as far as i can see they are not inheriting.
I have tested with other accounts and it only seems to affect accounts that are in OU's that have blocked inheritance set in Group Policy. This confused me as i can't see how AD permissions and Group Policy inheritance are linked.
I can assign the PA send as permission to other users in other OU's that are not blocked but i have tried assigning send as for other users to other users in the blocked OU's with the same results, the permissions reset to what they were.
Unless i am missing something it isn't to do with inheritng permissions as i set permissions on the parent OU and set inheriting which worked to start with, but then after a short period the inheritance had been taken off and the permssions ahd the unrecognised user again.
I am confused, as you probably are by reading this post (sorry).
Any advice would be great.
- Prev by Date: Re: Deleted DSA in Repadmin
- Next by Date: Re: ADAMs replica doesn't have any passwords?
- Previous by thread: Re: Deleted DSA in Repadmin
- Next by thread: Re: Permissions resetting in Blocked Inheritance OU's
- Index(es):
Relevant Pages
|
