[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

OU Delegated Rights Not Inherited

Posted on 2004-03-27
3
Medium Priority
?
863 Views
Last Modified: 2013-12-04
I'm running the Delegation of Control wizard at an OU level. I'm assigning all available rights in the wizard to a group called "Admins". However, after running this some objects below the OU do not receive the inherited rights. The ability to edit a couple user objects remains greyed out for a person in the Admin group and the Admins group does not show up in the "Security" tab of the problem object.

Replication is not the issue and the person trying to edit the user objects has logged out and back in before making the edit attempt.

What could be causing this?

Thanks,
Rick Virene
Jacobs Engineering

0
Comment
Question by:Virene
3 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10695903
Domain Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221930

Troubleshooting Group Policy in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp

Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Gpotool.exe: Group Policy Verification Tool
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp

Does windows2000 has security monitoring to know if somebody's overriding my group policy (GPO):
http://www.experts-exchange.com/Security/Win_Security/Q_20606772.html 

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Using the Group Policy Snap-in Focused on a Remote Computer
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_dbyy.asp

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

Group Policy to Remove Program May Not Be Applied to Some Users and Computers
http://support.microsoft.com/default.aspx?scid=kb;en-us;240790

Remember to Enforce a Remote Access Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313082&sd=tech 

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 10698211
If the user objects in question are (or have been at some point) members of the Administrators group (or another protected group; this can include nested groups!), then that's why. Control over protected groups can by default not be delegated.

Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/?kbid=817433

Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Some other links that might be of interest when delegating rights:

Have a lok at "Setting Permissions on Active Directory Objects" found here:
Chapter 12 - Access Control
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part2/dsgch12.mspx

How to Modify the Filtered Properties of an Object
http://support.microsoft.com/?kbid=296490

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952

Securing Active Directory
By Sakari Kouti and Mike Seitsonen
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/securead.mspx


And some more general links:

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

HOWTO: Customize the Task List in the Delegation Wizard
http://support.microsoft.com/?kbid=308404

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873
0
 

Author Comment

by:Virene
ID: 10708912
Thanks, guys for your responses. We had determined that there were GPOs involved. We found that all objects not receiving inherited rights were members of the Server Operators protected group. So this article was a direct hit: Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Rick Virene
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month19 days, 23 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question