Need AD HELP - "Active Directory" "user object" lost "Allow Inheritable" check problem

Discussion in 'Active Directory' started by Tib, Jun 29, 2006.

  1. Tib

    Tib Guest

    Has anyone had this kind of problem.
    ActiveDirectory (2000/2003) MMC users and computers.
    From time to time A user object loose the SECURITY\ADVANCED\ALLOW
    INHERITABLE PERMISSIONS Check Box.
    Its somewhat random and the problem is that it prevents users to get
    customized delegated attributes access giving me a lot of problems in my
    ADscripts.
    Any help is welcome,thanks in advanced

    --
    Luis Miguel Tomé Silva
    System Engineering
    E
    Better three hours too soon than one minute too late.
    Shakespeare
     
    Tib, Jun 29, 2006
    #1
    1. Advertisements

  2. Tib

    Jorge Silva Guest

    Hi

    Sounds like your user is member of Protected groups:

    Every hour, the Windows 2000 domain controller that holds the primary domain
    controller (PDC) Flexible Single Master Operation (FSMO) role compares the
    ACL on all security principals (users, groups, and machine accounts) present
    for its domain in Active Directory and that are in administrative groups
    against the ACL on the following object:
    CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com
    Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN)
    of your domain.
    If the ACL is different, the ACL on the user object is overwritten to
    reflect the security settings of the AdminSDHolder object (which includes
    disabling ACL inheritance). This protects these administrative accounts from
    being modified by unauthorized users if the accounts are moved to a
    container or organizational unit in which a user has been delegated
    administrative privilege for the modification of user accounts. Note that
    when a user is removed from the administrative group, the process is not
    reversed and must be manually changed.


    Description and Update of the Active Directory AdminSDHolder Object

    http://support.microsoft.com/?id=232199
    AdminSDHolder Thread Affects Transitive Members of Distribution Groups
    http://support.microsoft.com/?id=318180
    Delegated permissions are not available and inheritance is automatically
    disabled
    http://support.microsoft.com/?id=817433
    AdminSDHolder Object Affects Delegation of Control for Past Administrator
    Accounts
    http://support.microsoft.com/?id=306398
    Security tab of the adminSDHolder object does not display all properties
    http://support.microsoft.com/?id=301188
    "You do not have sufficient permissions in the Domain" error message occurs
    and Exchange Setup does not respond
    http://support.microsoft.com/?id=319966




    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
     
    Jorge Silva, Jun 29, 2006
    #2
    1. Advertisements

  3. Jorge de Almeida Pinto [MVP], Jun 29, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.