AD object permissions will not stick...why?

J

John Smith

There are a number of user accounts in a particular OU which will not retain
the permissions I set. Permissions on the OU itself are such that the
"Account Operators" group has Full control over the accounts. If I check
"Inherit from parent", they will inherit the Account Operators group.
However, after a couple of hours, permission will go back to the way they
were before....no Account Operators. If I create a new user account, it
will inherit permissions properly.

I have tried moving the accounts to another OU but that didn't solve the
problem. I've played around with all the security settings but nothing
seems to work. Any idea as to how I can make the security settings stick?

This is a Windows 2000 domain with three domain controllers. The OU in
question is 3 levels deep. Accounts in the parent OU work fine and an OU
under the "problem OU" work fine.

Any help is appreciated.
 
W

Wayne Tilton

There are a number of user accounts in a particular OU which will not
retain the permissions I set. Permissions on the OU itself are such
that the "Account Operators" group has Full control over the accounts.
If I check "Inherit from parent", they will inherit the Account
Operators group. However, after a couple of hours, permission will go
back to the way they were before....no Account Operators. If I create
a new user account, it will inherit permissions properly.

I have tried moving the accounts to another OU but that didn't solve
the problem. I've played around with all the security settings but
nothing seems to work. Any idea as to how I can make the security
settings stick?

This is a Windows 2000 domain with three domain controllers. The OU in
question is 3 levels deep. Accounts in the parent OU work fine and an
OU under the "problem OU" work fine.

Any help is appreciated.
Click to expand...

Sounds like AdminSDHolder is turning off inheritance because the users
are in one of the protected groups. See the following KB article for
further details:

http://support.microsoft.com/default.aspx?scid=kb;en-us;817433

Hope that helps,

Wayne Tilton
 
J

John Smith

Thanks Wayne! At least I'm getting somewhere now. I ran the program at
the link you provided---commented out the flags that are being set in it.
Indeed the users in question appear in this list. I'll try it on one of the
users to see if this helps.

I have no idea what the "AdminCount" flag is for or what or what a
"protected group" is.

Thanks again.
 
W

Wayne Tilton

Thanks Wayne! At least I'm getting somewhere now. I ran the program
at the link you provided---commented out the flags that are being set
in it. Indeed the users in question appear in this list. I'll try it
on one of the users to see if this helps.

I have no idea what the "AdminCount" flag is for or what or what a
"protected group" is.

Thanks again.
Click to expand...

"Protected Groups" are simply the groups that are protected by
AdminSDHolder. Any user who is in one of the protected groups (directly
or via nesting) get inheritence turned off by AdminSDHolder every hour.
Search for "AdminSDHolder" and you should find a wealth of information.

Wayne
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Help on windows user object security 1
AD for Multi tenancy 0
AD Permissions 5
Security changes for User Object do not stick 1
Deny account operators from deleting users 1
Restricting built-in groups 3
Location of security groups in AD. 1
Strange membership issues 4

Top