Need AD HELP - "Active Directory" "user object" lost "Allow Inheritable" check problem

Discussion in 'Active Directory' started by Tib, Jun 29, 2006.

  1. Tib

    Tib Guest

    Has anyone had this kind of problem.
    ActiveDirectory (2000/2003) MMC users and computers.
    From time to time A user object loose the SECURITY\ADVANCED\ALLOW
    Its somewhat random and the problem is that it prevents users to get
    customized delegated attributes access giving me a lot of problems in my
    Any help is welcome,thanks in advanced

    Luis Miguel Tomé Silva
    System Engineering
    Better three hours too soon than one minute too late.
    Tib, Jun 29, 2006
    1. Advertisements

  2. Tib

    Jorge Silva Guest


    Sounds like your user is member of Protected groups:

    Every hour, the Windows 2000 domain controller that holds the primary domain
    controller (PDC) Flexible Single Master Operation (FSMO) role compares the
    ACL on all security principals (users, groups, and machine accounts) present
    for its domain in Active Directory and that are in administrative groups
    against the ACL on the following object:
    Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN)
    of your domain.
    If the ACL is different, the ACL on the user object is overwritten to
    reflect the security settings of the AdminSDHolder object (which includes
    disabling ACL inheritance). This protects these administrative accounts from
    being modified by unauthorized users if the accounts are moved to a
    container or organizational unit in which a user has been delegated
    administrative privilege for the modification of user accounts. Note that
    when a user is removed from the administrative group, the process is not
    reversed and must be manually changed.

    Description and Update of the Active Directory AdminSDHolder Object
    AdminSDHolder Thread Affects Transitive Members of Distribution Groups
    Delegated permissions are not available and inheritance is automatically
    AdminSDHolder Object Affects Delegation of Control for Past Administrator
    Security tab of the adminSDHolder object does not display all properties
    "You do not have sufficient permissions in the Domain" error message occurs
    and Exchange Setup does not respond

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Jun 29, 2006
    1. Advertisements

  3. Jorge de Almeida Pinto [MVP], Jun 29, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.