AD not inheriting admin permissions

[Charlie]

I have Active Directory set up so that when I create a new user,
several admin groups are automatically inherited. Lately, this has not
been happening, and when I try to put them in manually, I get an error
message advising me that this changes permissions. The accounts
created previously still have the inherited permissions, and the box in
the Advanced security options is ticked to allow inheritance.

Does anyone have any ideas on what the problem could be?

 

[Jorge_de_Almeida_Pinto]

I have Active Directory set up so that when I create a new
user,
several admin groups are automatically inherited. Lately,
this has not
been happening, and when I try to put them in manually, I get
an error
message advising me that this changes permissions. The
accounts
created previously still have the inherited permissions, and
the box in
the Advanced security options is ticked to allow inheritance.

Does anyone have any ideas on what the problem could be?

And HOW did you realize that setup? Can you explain more about the
configurations you made? I think that is the key of answering this
question

 

[Charlie]

The users I am setting up are to be used as generic email addresses.
In User Objects, I have an OU called Generic Emails, and the security
tab in the OU Properties has a list of Admin groups to be added, so
when a new account is created, the admin groups are automatically
inherited.

All other OUs are working fine, and the Generic email one has the Admin
group list in the security tab, but not the Exchange Advanced, Mailbox
rights tab, where they should also appear.

 

[Charlie]

I have since done a little more digging, and the same thing happens if
I create a new user in another OU, the admin groups are being inherited
on the Security tab, but not in the mailbox rights.

 

[Charlie]

I have since done a little more digging, and the same thing happens if
I create a new user in another OU, the admin groups are being inherited
on the Security tab, but not in the mailbox rights.

 

[Charlie]

I have since done a little more digging, and the same thing happens if
I create a new user in another OU, the admin groups are being inherited
on the Security tab, but not in the mailbox rights.

 

[Joe Richards [MVP]]

You can't set up mailbox rights to be inherited at the OU level. You can only
set up that inheritence based on Exchange structures such as DB, SG, Server, AG,
or Org.

 

[Charlie]

I've had a look on my Exchange server, and I've discovered a bit more
about the problem; the mailboxes are not being created on the server.

As for the inheritance thing, that's the way we've being setting
permissions for a while, on the properties, security tab of the OU,
just like a file structure permission setting.

 

[Joe Richards [MVP]]

I repeat, you can not set mailbox permissions at the OU level. Trust me on this.
You can set SEND-AS but that is a permission that is propagated through the
hierarchy. The Exchange Advanced Mailbox rights tab takes its inheritance from a
portion of the configuration container.

As for mailboxes not being created, that is almost certainly an issue with your
RUS or AD replication.

joe