Computer and User objects are not inheriting permissions

S

Sadissa

Guest
Hello, all.
All our user accounts are under an OU named 'Accounts' (with Sub-OUs).
We recently delegated control to a security group on that OU with
permissions:
- Create, delete, and manage user accounts
- Reset User passwords and force password change at next logon
- Read all user information
The delegation globally works well, but sometimes we find that some user
accounts stop applying the inherited permissions. In that situation only the
default groups (domain admins, account operators, etc.) are able to modify
the user accounts, and we are oblige to reapply the settings to fix the
issue.
This situation creates a crisis between the department which have been
delegated control through the security group and us, the administrators. How
can we make sure all user accounts under the OU arborescence inherit all the
permissions at any time?
Thanks in advance for your help.
 


Hi
Sounds AdminSDHolder issue, make sure that the users are not members of
protected groups.
http://support.microsoft.com/kb/232199
http://support.microsoft.com/kb/817433

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Sadissa" <Sadissa@discussions.microsoft.com> wrote in message
news:FB8B0C13-A50E-4C74-9459-D2385D51F243@microsoft.com...
> Hello, all.
> All our user accounts are under an OU named 'Accounts' (with Sub-OUs).
> We recently delegated control to a security group on that OU with
> permissions:
> - Create, delete, and manage user accounts
> - Reset User passwords and force password change at next logon
> - Read all user information
> The delegation globally works well, but sometimes we find that some user
> accounts stop applying the inherited permissions. In that situation only
> the
> default groups (domain admins, account operators, etc.) are able to modify
> the user accounts, and we are oblige to reapply the settings to fix the
> issue.
> This situation creates a crisis between the department which have been
> delegated control through the security group and us, the administrators.
> How
> can we make sure all user accounts under the OU arborescence inherit all
> the
> permissions at any time?
> Thanks in advance for your help.



 
Do any of these users who are having problems, belong to deprecated groups
such as Account Operators, etc...? If so AdminSDHolder is the reason.

If so read this for details on the specific groups
http://support.microsoft.com/?id=318180

Inheritance is blocked
http://support.microsoft.com/kb/817433

Paul Williams has a nice article on this here
http://www.msresource.net/content/view/38/46/

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Sadissa" <Sadissa@discussions.microsoft.com> wrote in message
news:FB8B0C13-A50E-4C74-9459-D2385D51F243@microsoft.com...
> Hello, all.
> All our user accounts are under an OU named 'Accounts' (with Sub-OUs).
> We recently delegated control to a security group on that OU with
> permissions:
> - Create, delete, and manage user accounts
> - Reset User passwords and force password change at next logon
> - Read all user information
> The delegation globally works well, but sometimes we find that some user
> accounts stop applying the inherited permissions. In that situation only
> the
> default groups (domain admins, account operators, etc.) are able to modify
> the user accounts, and we are oblige to reapply the settings to fix the
> issue.
> This situation creates a crisis between the department which have been
> delegated control through the security group and us, the administrators.
> How
> can we make sure all user accounts under the OU arborescence inherit all
> the
> permissions at any time?
> Thanks in advance for your help.



 

Back
Top