"Active Directory" "user object" lost "Allow Inheritable" check problem

Discussion in 'Active Directory' started by Tib, Jun 5, 2006.

  1. Tib

    Tib Guest

    Has anyone had this kind of problem.
    ActiveDirectory (2000/2003) MMC users and computers.
    From time to time A user object loose the SECURITY\ADVANCED\ALLOW
    INHERITABLE PERMISSIONS Check Box.
    Its somewhat random and the problem is that it prevents users to get
    customized delegated attributes access giving me a lot of problems in my
    ADscripts.
    Any help is welcome,thanks in advanced

    --
    Luis Silva
    System Engineering
    The great Morpheus. We meet at last. And you are. A Smith. Agent Smith. You
    all look the same to me.
    Agent Smith and Morpheus, The Matrix
     
    Tib, Jun 5, 2006
    #1
    1. Advertisements

  2. Tib

    Jorge Silva Guest

    Hi
    It sounds like the user may be in a Windows Protected Group. Which could be
    any one of the following:

    Windows 2000
    Enterprise Admins
    Schema Admins
    Domain Admins
    Administrators
    Administrators

    For Windows 2000 SP4 or Windows 2003
    Account Operators
    Server Operators
    Print Operators
    Backup Operators
    Domain Admins
    Schema Admins
    Enterprise Admins
    Cert Publishers


    Every hour, the Windows domain controller that holds the primary domain
    controller (PDC) Flexible Single Master Operation (FSMO) role compares the
    ACL on all security principals (users, groups, and machine accounts) present
    for its domain in Active Directory.

    If the ACL is different, the ACL on the user object is overwritten to
    reflect the security settings of the AdminSDHolder object (which includes
    disabling ACL inheritance). This protects these administrative accounts from
    being modified by unauthorized users if the accounts are moved to a
    container or organizational unit in which a user has been delegated
    administrative privilege for the modification of user accounts. Note that
    when a user is removed from the administrative group, the process is not
    reversed and must be manually changed



    Description and Update of the Active Directory AdminSDHolder Object

    http://support.microsoft.com/?id=232199


    Delegated permissions are not available and inheritance is automatically
    disabled
    http://support.microsoft.com/?id=817433


    AdminSDHolder Object Affects Delegation of Control for Past Administrator
    Accounts
    http://support.microsoft.com/?id=306398


    Security tab of the adminSDHolder object does not display all properties
    http://support.microsoft.com/?id=301188

    --
    I hope that the information above helps you


    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 5, 2006
    #2
    1. Advertisements

  3. Jorge de Almeida Pinto [MVP], Jun 5, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.