Re: Security Group Keeps getting removed???
- From: Space Junk <SpaceJunk@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 9 Aug 2006 06:20:01 -0700
I made the change on the PDC Emulator, and then check all other DC's and seen
the change reflected on them, so how would it be different to override?
Also, your saying the PDC emulator always uses its version of security in
AD? That does not sound correct at all, that defeats the whole concept of
replication. I must not be understanding you correctly in that description.
As far as permission on making changes to the object, I am a domain admin, I
don't believe I would be able to make the change to begin with without
permisision on that object.
"Jorge Silva" wrote:
Hi.
Every hour, the Windows domain controller that holds the primary domain
controller (PDC) Flexible Single Master Operation (FSMO) role compares the
ACL on all security principals (users, groups, and machine accounts) present
for its domain in Active Directory. If the ACL is different, the ACL on the
user object is overwritten to reflect the security settings of the
AdminSDHolder object (which includes disabling ACL inheritance). This
protects these administrative accounts from being modified by unauthorized
users if the accounts are moved to a container or organizational unit in
which a user has been delegated administrative privilege for the
modification of user accounts. Note that when a user is removed from the
administrative group, the process is not reversed and must be manually
changed
Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?id=232199
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
http://support.microsoft.com/?id=318180
The "Send As" right is removed from a user object after you configure the
"Send As" right in the Active Directory Users and Computers snap-in in
Exchange Server
http://support.microsoft.com/kb/907434
Delegated permissions are not available and inheritance is automatically
disabled
http://support.microsoft.com/?id=817433
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
http://support.microsoft.com/?id=306398
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Space Junk" <SpaceJunk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C4B735E6-1737-424E-A1EC-752F09C53504@xxxxxxxxxxxxxxxx
Here is my issue, email_enabled_accountX has a security_groupY applied to
it
with "Send As" permissions. There are 12 other domain controllers,
accessing
each one manually and checking confirms the replication of this change.
However, after an hour or so, the security_groupY is no longer in the ACL
for
email_enabled_accountX, we are doing the same thing with
email_enabled_accountZ and never have this problem. email_enabled_accountX
is not inheritating any permissions.
This is not being done by a human, so what else could possible be doing
this?
- Follow-Ups:
- Re: Security Group Keeps getting removed???
- From: Jorge Silva
- Re: Security Group Keeps getting removed???
- References:
- Re: Security Group Keeps getting removed???
- From: Jorge Silva
- Re: Security Group Keeps getting removed???
- Prev by Date: Re: dcpromo without domain admin rights
- Next by Date: Re: Security Group Keeps getting removed???
- Previous by thread: Re: Security Group Keeps getting removed???
- Next by thread: Re: Security Group Keeps getting removed???
- Index(es):
Relevant Pages
|
