Cannot modify some groups/users in AD

[Megan Kielman]

Hi everyone,

I have noticed that I cannot modify some groups and users in ADUC. I have
been told it is because these users/groups have more privileges then I do
but I can't seem to figure out how this is determined and if is even
accurate information. If this is true, what is this called? Is it a built-in
feature of AD? If this isn't true, is there a permission that has been
configured that I am not aware of? It doesn't matter which OU these groups
or users are in.

Thanks!

 

[Chriss3]

Can you explain the particular behavior you have and what you are trying to
do? Some groups are 'Protected Groups' , Domain Admins , Schema Admins,
Enterpise Admins , Cert Publishers, Administrators, Account Operators,
Server Operators , Print Operators and Backup Operators.

 

[Megan Kielman]

When I open certain groups/users all fields are grayed out so I cannot
modify them in any way. In one case, there is a global group that is grayed
out, and I looked at the "member of" tab but it isn't a member of a
"protected group".

As a side note, what happens if an object is a member of a "protected
group"?

 

[Chriss3]

Hello Megan,

This sounds weird, are you logged on with the built-in administrator
account?

The ACL on user accounts that are members of one or more "protected" groups
are automatically set and refreshed to enhance security. If the ACL is
different, replace ACL from template and disable inheritance