Solved

OU Delegated Rights Not Inherited

Posted on 2004-03-27
3
836 Views
Last Modified: 2013-12-04
I'm running the Delegation of Control wizard at an OU level. I'm assigning all available rights in the wizard to a group called "Admins". However, after running this some objects below the OU do not receive the inherited rights. The ability to edit a couple user objects remains greyed out for a person in the Admin group and the Admins group does not show up in the "Security" tab of the problem object.

Replication is not the issue and the person trying to edit the user objects has logged out and back in before making the edit attempt.

What could be causing this?

Thanks,
Rick Virene
Jacobs Engineering

0
Comment
Question by:Virene
3 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10695903
Domain Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221930

Troubleshooting Group Policy in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp

Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Gpotool.exe: Group Policy Verification Tool
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp

Does windows2000 has security monitoring to know if somebody's overriding my group policy (GPO):
http://www.experts-exchange.com/Security/Win_Security/Q_20606772.html 

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Using the Group Policy Snap-in Focused on a Remote Computer
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_dbyy.asp

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

Group Policy to Remove Program May Not Be Applied to Some Users and Computers
http://support.microsoft.com/default.aspx?scid=kb;en-us;240790

Remember to Enforce a Remote Access Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313082&sd=tech 

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 10698211
If the user objects in question are (or have been at some point) members of the Administrators group (or another protected group; this can include nested groups!), then that's why. Control over protected groups can by default not be delegated.

Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/?kbid=817433

Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Some other links that might be of interest when delegating rights:

Have a lok at "Setting Permissions on Active Directory Objects" found here:
Chapter 12 - Access Control
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part2/dsgch12.mspx

How to Modify the Filtered Properties of an Object
http://support.microsoft.com/?kbid=296490

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952

Securing Active Directory
By Sakari Kouti and Mike Seitsonen
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/securead.mspx


And some more general links:

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

HOWTO: Customize the Task List in the Delegation Wizard
http://support.microsoft.com/?kbid=308404

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873
0
 

Author Comment

by:Virene
ID: 10708912
Thanks, guys for your responses. We had determined that there were GPOs involved. We found that all objects not receiving inherited rights were members of the Server Operators protected group. So this article was a direct hit: Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Rick Virene
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question