Re: AD Delegation Fails - Permissions Disappear
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Fri, 9 Jun 2006 19:26:26 +0100
Hi
Check:
Every hour, the Windows domain controller that holds the primary domain
controller (PDC) Flexible Single Master Operation (FSMO) role compares the
ACL on all security principals (users, groups, and machine accounts) present
for its domain in Active Directory.
If the ACL is different, the ACL on the user object is overwritten to
reflect the security settings of the AdminSDHolder object (which includes
disabling ACL inheritance). This protects these administrative accounts from
being modified by unauthorized users if the accounts are moved to a
container or organizational unit in which a user has been delegated
administrative privilege for the modification of user accounts. Note that
when a user is removed from the administrative group, the process is not
reversed and must be manually changed
Protected group are:
Windows 2000
Enterprise Admins
Schema Admins
Domain Admins
Administrators
Administrators
For Windows 2000 SP4 or Windows 2003
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?id=232199
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
http://support.microsoft.com/?id=318180
Delegated permissions are not available and inheritance is automatically
disabled
http://support.microsoft.com/?id=817433
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
http://support.microsoft.com/?id=306398
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"rovert506" <rovert506@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38835BBE-4107-43E8-AED4-8BDC38B5C370@xxxxxxxxxxxxxxxx
Windows Server 2003 Standard:
I'm trying to delegate control of some OU's to three groups. Each of
these
groups will have specific permissions (unlock accounts, reset password,
create/manage/delete). I've tried multiple times to delegate the control,
but it never works. We recently upgraded from NT about 8 months ago, and
what I've found is that all the Pre-NT accounts were not set up to inherit
permissions from parent objects. Every account since the switchover is
set
up correctly, and works as it should when I test the delegations.
I manually went into each old user account and selected the "inherit
permissions from parent" checkbox (there are about 200 accounts). About
halfway through the users, I checked on the first account I changed and
saw
that the permissions were reverted back. Thus the "inherit parent object
permissions" was UNSELECTED, when I know that I did in fact select it. I
do
not know why this is happening...
Any ideas??
.
- Follow-Ups:
- Re: AD Delegation Fails - Permissions Disappear
- From: rovert506
- Re: AD Delegation Fails - Permissions Disappear
- Prev by Date: Re: Reboot several DC's ?
- Next by Date: Re: Demoting last DC?
- Previous by thread: Re: Mandatory Profile and GPO
- Next by thread: Re: AD Delegation Fails - Permissions Disappear
- Index(es):
Relevant Pages
|
