Inheritance is automatically disabled on some user accounts approximately one ti

S

Stefan

Hi!

Inheritance is automatically disabled on some user
accounts approximately one time an hour.

The checkbox " allow inheritable permissions from parent
to propagate to this object" gets unchecked several times
every hour for some users. It´s on the security page of
the user property. The only one that can modify properties
then is domain admins. It doesn´t seem to depend on
replication.

Stefan
 
W

Wayne Tilton

Hi!

Inheritance is automatically disabled on some user
accounts approximately one time an hour.

The checkbox " allow inheritable permissions from parent
to propagate to this object" gets unchecked several times
every hour for some users. It´s on the security page of
the user property. The only one that can modify properties
then is domain admins. It doesn´t seem to depend on
replication.

Stefan
Click to expand...

This is usually caused by the users being members of administrative
groups (e.g. Domain Admins). Once an hour the SDPROP process will kick
off and turn off inheritable permissions for these types of users. The
only way to prevent this is to remove the users from the administrative
group(s) and re-enable inheritance.

Wayne
 
J

Joe Wu [MSFT]

Hello,

Thank you for your post and thanks to Wayne for his input. Yes, Wayne is
right. Please check the affected users to see if they are members of the
following protected groups:

Enterprise Admins
Schema Admins
Domain Admins
Administrators

Note: If your domain is Windows Server 2003 AD, please check if the users
are member of the following groups:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

This problem is explained in detail in the following Knowledge Based
article:

817433 Delegated Permissions Are Not Available and Inheritance Is
Automatically
http://support.microsoft.com/?id=817433

Please check that if the problem has been resolved by the methods in the
above KB article.

Also, if the problem is not the exact one described in the above KB, please
feel free to let me know and provide me with the detailed steps so that I
can check if I can reproduce the problem on my test machines.

Thanks and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Subject: Re: Inheritance is automatically disabled on some user accounts
approximately one ti
|From: Wayne Tilton <[email protected]>
|References: <[email protected]>
|Organization: LMIT
|Message-ID: <[email protected]>
|User-Agent: Xnews/5.04.25
|Newsgroups: microsoft.public.win2000.active_directory
|Date: Wed, 14 Jan 2004 09:29:16 -0800
|NNTP-Posting-Host: 4.18.239.50
|Lines: 1
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:62752
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|[email protected]:
|
|> Hi!
|>
|> Inheritance is automatically disabled on some user
|> accounts approximately one time an hour.
|>
|> The checkbox " allow inheritable permissions from parent
|> to propagate to this object" gets unchecked several times
|> every hour for some users. It´s on the security page of
|> the user property. The only one that can modify properties
|> then is domain admins. It doesn´t seem to depend on
|> replication.
|>
|> Stefan
|>
|
|This is usually caused by the users being members of administrative
|groups (e.g. Domain Admins). Once an hour the SDPROP process will kick
|off and turn off inheritable permissions for these types of users. The
|only way to prevent this is to remove the users from the administrative
|group(s) and re-enable inheritance.
|
|Wayne
|
|--
|Standard Disclaimer: I said it, they didn't, so blame me, not them!
|Spam Avoidance: My reply address is invalid to confuse the spambots.
|You can reach me at 'Wayne_Tilton at yahoo dot com'
|
 
S

Stefan

Thank you for your answer!
-----Original Message-----


This is usually caused by the users being members of administrative
groups (e.g. Domain Admins). Once an hour the SDPROP process will kick
off and turn off inheritable permissions for these types of users. The
only way to prevent this is to remove the users from the administrative
group(s) and re-enable inheritance.

Wayne

--
Standard Disclaimer: I said it, they didn't, so blame me, not them!
Spam Avoidance: My reply address is invalid to confuse the spambots.
You can reach me at 'Wayne_Tilton at yahoo dot com'
.
Click to expand...
 
S

stefan

Thank you for your help. I will try this.
/Stefan
-----Original Message-----
Hello,

Thank you for your post and thanks to Wayne for his input. Yes, Wayne is
right. Please check the affected users to see if they are members of the
following protected groups:

Enterprise Admins
Schema Admins
Domain Admins
Administrators

Note: If your domain is Windows Server 2003 AD, please check if the users
are member of the following groups:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

This problem is explained in detail in the following Knowledge Based
article:

817433 Delegated Permissions Are Not Available and Inheritance Is
Automatically
http://support.microsoft.com/?id=817433

Please check that if the problem has been resolved by the methods in the
above KB article.

Also, if the problem is not the exact one described in the above KB, please
feel free to let me know and provide me with the detailed steps so that I
can check if I can reproduce the problem on my test machines.

Thanks and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
|Subject: Re: Inheritance is automatically disabled on some user accounts
approximately one ti
|From: Wayne Tilton <[email protected]>
|References: <[email protected]>
|Organization: LMIT
|Message-ID: <[email protected]>
|User-Agent: Xnews/5.04.25
|Newsgroups: microsoft.public.win2000.active_directory
|Date: Wed, 14 Jan 2004 09:29:16 -0800
|NNTP-Posting-Host: 4.18.239.50
|Lines: 1
|Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl! TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
phx.gbl
|Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.active_directory:62752
|X-Tomcat-NG: microsoft.public.win2000.active_directory
|
|[email protected]:
|
|> Hi!
|>
|> Inheritance is automatically disabled on some user
|> accounts approximately one time an hour.
|>
|> The checkbox " allow inheritable permissions from parent
|> to propagate to this object" gets unchecked several times
|> every hour for some users. It´s on the security page of
|> the user property. The only one that can modify properties
|> then is domain admins. It doesn´t seem to depend on
|> replication.
|>
|> Stefan
|>
|
|This is usually caused by the users being members of administrative
|groups (e.g. Domain Admins). Once an hour the SDPROP process will kick
|off and turn off inheritable permissions for these types of users. The
|only way to prevent this is to remove the users from the administrative
|group(s) and re-enable inheritance.
|
|Wayne
|
|--
|Standard Disclaimer: I said it, they didn't, so blame me, not them!
|Spam Avoidance: My reply address is invalid to confuse the spambots.
|You can reach me at 'Wayne_Tilton at yahoo dot com'
|

.
Click to expand...
 
C

Caveman

Joe said:
Hello,

Thank you for your post and thanks to Wayne for his input. Yes, Wayne is
right. Please check the affected users to see if they are members of the
following protected groups:

Enterprise Admins
Schema Admins
Domain Admins
Administrators

Note: If your domain is Windows Server 2003 AD, please check if the users
are member of the following groups:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

This problem is explained in detail in the following Knowledge Based
article:

817433 Delegated Permissions Are Not Available and Inheritance Is
Automatically
http://support.microsoft.com/?id=817433

Please check that if the problem has been resolved by the methods in the
above KB article.

Also, if the problem is not the exact one described in the above KB, please
feel free to let me know and provide me with the detailed steps so that I
can check if I can reproduce the problem on my test machines.

Thanks and have a nice day!

Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Click to expand...

Does this fix need to be installed on all DCs or just the ones that
hold FSMO roles?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD User Objects & Permission Inheritance 7
Inheritance on user objects with Domain Admin membership 2
inheretance is broken - sdprop adminsdholder, builtin container an 0
Modifing "Inherit Permissions" on AD user accounts 1
(another) DC replication problem 8
How to show ALL user accounts in User Accounts applet? 7
Why is Fast User Switching disabled for computers on a domain? 5
Offer Remote Assistance - "Permission denied" - Windows XP SP2 2

Top