delegation for user container - delgated users cant administer someuser accounts

[none]

Hi

I have created an organistional unit containing domain users and
delegated a group 'user admins' to look after these users.

The group members can administer all users EXCEPT other members of the
user admins group. Why is that? Surely they should be able to
administer every user in this container including members of this group.

Is there a way around this?

Thanks

T.

 

[Jorge_de_Almeida_Pinto]

Hi

I have created an organistional unit containing domain users
and
delegated a group 'user admins' to look after these users.

The group members can administer all users EXCEPT other
members of the
user admins group. Why is that? Surely they should be able
to
administer every user in this container including members of
this group.

Is there a way around this?

Thanks

T.

I assume the members of the group are also in the OU. If not put the
users in the OU.
If yes, it might the adminSDholder object is teasing you.

What might have happen....
Those users ARE or may have been sometime a member of one or more
protected groups in AD. Also these groups and its member will have a
property admincount=1. The adminSDholder object holds the security
descriptor for all the objects that have admincount=1. These objects
do NOT inherit permissions from a parent OU, but these "inherit" the
permissions that are set on the adminSDholder object. I say "inherit"
because a process on the PDC FSMO, that runs each hour, checks if all
objects that have admincount=1 or are member of protected groups or
are member of groups that are member of protected groups (group
nesting) still have the same permissions as defined on the
adminSDholder object. If not, the permissions will be reset to match

See:
MS-KBQ232199_Description and Update of the Active Directory
AdminSDHolder Object

MS-KBQ817433_Delegated permissions are not available and inheritance
is automatically disabled