Inheritance on user objects with Domain Admin membership

[Rob]

Hi,

I have come accross an interesting problem that I can not
determine is a security feature of Windows 2000 AD or is a
problem with the tool we use for Active Directory
Administrative delegation (Quest Active Roles).

The issue is this: Our administrative accounts are
sequestered into a specific container with permissions to
the container objects applied at the root of the container
itself. All objects are set to allow inheritance of
permissions. We began noticing a handful of the user
objects did not have inheritance set and our level 1 help
desk could not reset the passwords. After reseting
inheritance on the user objects it reverts back to no
inheritance within an hour or so. I have determined that
any user object that has membership in Domain Admins or
Administrators will exhibit this issue. If an account
(user object) is removed from membership in those groups
inheritance will stay.

Can anyone tell me if this is a security feature of Win2k
to prevent accidentally allowing rights to inherit on high
level administrative accounts? Or is this caused by
something else?

Thanks,
Rob
(e-mail address removed)

 

[Matjaz Ladava [MVP]]

You are seeing AdminSDHolder process on work. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180 for detailed
explanation.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Rob]

Thanks. I believe this may be the explaination I was
looking for.
Rob