Re: AD Delegation Fails - Permissions Disappear
- From: rovert506 <rovert506@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 12 Jun 2006 09:52:01 -0700
While that all makes sense, I have one question:
Many of our users are currently members of the Domain Users group, which is
in turn a member of the Print Operators group. Yet some of our new accounts
have inherited permissions from the delegation, even though he is a member of
a protected group. So if he's a member of a protected group, why is he
inheriting permissions??
BTW: Thanks for all the help!!
"Jorge Silva" wrote:
Hi.
Check:
Every hour, the Windows domain controller that holds the primary domain
controller (PDC) Flexible Single Master Operation (FSMO) role compares the
ACL on all security principals (users, groups, and machine accounts) present
for its domain in Active Directory.
If the ACL is different, the ACL on the user object is overwritten to
reflect the security settings of the AdminSDHolder object (which includes
disabling ACL inheritance). This protects these administrative accounts from
being modified by unauthorized users if the accounts are moved to a
container or organizational unit in which a user has been delegated
administrative privilege for the modification of user accounts. Note that
when a user is removed from the administrative group, the process is not
reversed and must be manually changed
Protected group are:
Windows 2000
Enterprise Admins
Schema Admins
Domain Admins
Administrators
Administrators
For Windows 2000 SP4 or Windows 2003
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers
Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?id=232199
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
http://support.microsoft.com/?id=318180
Delegated permissions are not available and inheritance is automatically
disabled
http://support.microsoft.com/?id=817433
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
http://support.microsoft.com/?id=306398
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"rovert506" <rovert506@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38835BBE-4107-43E8-AED4-8BDC38B5C370@xxxxxxxxxxxxxxxx
Windows Server 2003 Standard:
I'm trying to delegate control of some OU's to three groups. Each of
these
groups will have specific permissions (unlock accounts, reset password,
create/manage/delete). I've tried multiple times to delegate the control,
but it never works. We recently upgraded from NT about 8 months ago, and
what I've found is that all the Pre-NT accounts were not set up to inherit
permissions from parent objects. Every account since the switchover is
set
up correctly, and works as it should when I test the delegations.
I manually went into each old user account and selected the "inherit
permissions from parent" checkbox (there are about 200 accounts). About
halfway through the users, I checked on the first account I changed and
saw
that the permissions were reverted back. Thus the "inherit parent object
permissions" was UNSELECTED, when I know that I did in fact select it. I
do
not know why this is happening...
Any ideas??
- References:
- Re: AD Delegation Fails - Permissions Disappear
- From: Jorge Silva
- Re: AD Delegation Fails - Permissions Disappear
- Prev by Date: Re: Error when joining member server
- Next by Date: User object attributes
- Previous by thread: Re: AD Delegation Fails - Permissions Disappear
- Next by thread: Re: AD Delegation Fails - Permissions Disappear
- Index(es):
Relevant Pages
|
