Re: Inheriting Permissions from Parent

Hi James
Although you say that only happens at specific OU, IMO isn't a good practice to assign/delegate rights to users member of protected groups, here's why:
When you delegate permissions using the Delegation of Control wizard, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container. Therefore, if you set permissions using the Delegation of Control wizard, these permissions are not applied to members of protected groups.
http://support.microsoft.com/kb/232199
google for AdminSDHolder

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"James" <James@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:1DEF294C-733E-4080-9172-DC0676381447@xxxxxxxxxxxxxxxx
I've been running a W2K3 Native mode Single forest for about 2.5 years and I
have about 20 OU's setup. Within one of my OU's I have many user accounts
that are not inherting permissions from its Parent.

We have delegated control to all of the OUs to our helpdesk to allow them to
reset passwords on user accounts. To date this has worked fine but now my
helpdesk is complaining that they are unable to reset passwords on many of
the user accounts in one particular OU. They receive a message stating
Access is denied. When i check the box on the user account to inherit
permissions from its parent the helpdesk is able to reset the users passwords
but after after awhile the check is removed from that user account and the
helpdesk is no longer able to reset the password nor is the user able to
reset his or her own password. Domain Admins have no problem resetting these
accounts Account Operators and the Helpdesk group are not able to unless the
inherit permissions from parent option is checked on that user account. By
default when new accounts are created the option to inherit permissions from
parent option is checked. This seems to only be a problem with existing
accounts and not new ones.

Any ideas?


.

Relevant Pages

  • Re: Inheriting Permissions from Parent
    ... When you delegate permissions using the Delegation of Control wizard, ... Members of protected groups do not inherit permissions ... these permissions are not applied to members ... Within one of my OU's I have many user accounts ...
    (microsoft.public.windows.server.active_directory)
  • Re: Setting permissions in User Security tab is reverting back to previoussetting
    ... The permissions are changing because of the AdminSDHolder object. ... they will always revert back because these are protected groups. ... At the time I had a blackberry and my account was in one of these groups. ...
    (microsoft.public.windows.server.active_directory)
  • RE: customer user accounts and internal user accounts on same domain
    ... Among many other reasons, having them in the same domain context as you ... confidential/DPA relevant data, etc. would be a definite issue - especially ... customer user accounts and internal user accounts on same domain ... having to apply the appropriate permissions rather than remove permissions ...
    (Focus-Microsoft)
  • RE: customer user accounts and internal user accounts on same domain
    ... Among many other reasons, having them in the same domain context as you ... confidential/DPA relevant data, etc. would be a definite issue - especially ... customer user accounts and internal user accounts on same domain ... having to apply the appropriate permissions rather than remove permissions ...
    (Focus-Microsoft)
  • Re: out of memory, can not open or save files
    ... memory or disk space" ... I have not tried repairing permissions yet. ... There are two user accounts though I set up the other one for repair ...
    (microsoft.public.mac.office.excel)