Security changes for User Object do not stick

[Guest]

I hope someone can help me with this question

We are having problems with making security changes stick for a handful of user objects attributes. After awhile, these object keep on reverting back to security setting immediately prior to the changes

At the OU level, we delegate rights to global security groups to change certain user attributes like the address field, description, etc via the security tab. With the problematic user objects, I noticed that they were set to "not" inherit permissions. I would change the object to let it inherit permissions from the OU level and I would see the delegated security rights change accordingly. The rights would stick from anywhere to a couple of minutes to an hour. Then after some time (maybe after replication with a DC?) the security tab would revert to the setting before changes were made. The user object would even revert back to unchecking the inherit permissions option. This same result would occur even if I changed security settings on the user object directly

We have no probem with a vast majority of our user objects, including user objects in the same OU

 

[Wayne Tilton]

I hope someone can help me with this question.

We are having problems with making security changes stick for a
handful of user objects attributes. After awhile, these object keep
on reverting back to security setting immediately prior to the
changes.

At the OU level, we delegate rights to global security groups to
change certain user attributes like the address field, description,
etc via the security tab. With the problematic user objects, I
noticed that they were set to "not" inherit permissions. I would
change the object to let it inherit permissions from the OU level and
I would see the delegated security rights change accordingly. The
rights would stick from anywhere to a couple of minutes to an hour.
Then after some time (maybe after replication with a DC?) the
security tab would revert to the setting before changes were made.
The user object would even revert back to unchecking the inherit
permissions option. This same result would occur even if I changed
security settings on the user object directly!

We have no probem with a vast majority of our user objects, including
user objects in the same OU.

Do a search on AdminSDHolder and it should all become clear. The users
who are having this problem are members of one of the "Protected Groups".
The list of Protected Groups was expanded with Win2k SP4 to bring it into
line with Win2k3 so lots of people are getting a crash-course in
AdminSDHolder.

The following KB article explains it and offers some possible solutions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;817433

Wayne