Permission for user account in AD

[Mihhail Sergejev]

Hi,

I have a Windows 2000 native mode domain with Windows
2000/2003 DCs.
Has noticed that I can not change permission for user
account (in AD User&Computers right-click account,
properties, Security-tab) if this account in the past was
member of Domain Admins global group.
Though I can make any changes (I need to delegate Full
Control for Account Operators), some time later
permissions are reset back and check-box "Allow
inheritable permissions from parent to propagate to this
object" (Security-tab of user account properties) is
cleared.

For user account that never was member of Domain Admins
group I can successfully change permissions.

Please, help...

Thank,
Mihhail

 

[Paul Bergson]

Is this user in an ou that doesn't allow account operators management via
group policy? You should be able to add the account operator even if it is
inheriting permissions. Have you added the account operators group?
Modified permissions explicitedly under the advanced tab?

 

[Chriss3]

This is the behavior when a user is member of one or more protected groups

http://support.microsoft.com/default.aspx?scid=kb;en-us;232199

 

[Paul Bergson]

I didn't know server went back after the fact. I had also assumed (Bad
assumption) that this was a normal user.

Nice info Chriss3

 

[Chriss3]

http://support.microsoft.com/default.aspx?scid=kb;en-us;817433

 

[Mihhail Sergejev]

1) - No,
2) - Yes,
3) - Yes.
Try to press Default button on the Advanced Security
Setting tab for UserAccount - Account Operators has
received Full Control, but later Account Operators again
was removed from Permissions entries...

Why?

 

[Enkidu]

There is a Group Policy that sets the membership of certain important
groups known as "Restricted Goups". It's very possible that this is
resetting the Domain Admins group when it finds that it has changed.

Cheers,

Cliff