"Access Denied" when trying to update attribute on Domain Admin user.

W

Walt Stringer

My user account is not a Domain Admin, but I have been given
read/write permission to a User attribute across the entire AD
structure. I am able to edit this attribute for all users except for
users that are in the Domain Admins group. When I attempt to modify
the attribute on Domain Admin users...I get an "Access Denied" error
message.

Is this an explicit permission or is there a different flag that needs
to be set, or is it just not possible for a regular user to update an
attribute on a Domain Admin user?

Thanks,

Walt Stringer
 
M

Matjaz Ladava [MVP]

If you check your security settings of the Admin user, you will see, that
you don't have permission to modify this object, as it is protected by
AdminSDholder process. This process kicks off every hour on server that
holds PDC role, and checks user accounts and groups that belong to Admin
groups if their security descriptors don't match the ones written in
AdminSDholder attribute, then the process resets them to match AdminSDHolder
process. More info can be found at
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180
This is made to avoid delegating user permission to modify Admin groups and
therefore possibility for such a user to add himself to admin group. This
would be a elevation pf privileges.

Regards
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD created attribute lookup from bound OSX server 1
Multiple Access Denied 11
user-comment attribute - how to give user permission to update? 14
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Question on reconciling members and memberof attributes 3
Creating new schema object 6
ADMT failure - "Access Denied" 3
LDAP Query for "memberof" Attribute 1

Top