?
Solved

OU Delegated Rights Not Inherited

Posted on 2004-03-27
3
Medium Priority
?
853 Views
Last Modified: 2013-12-04
I'm running the Delegation of Control wizard at an OU level. I'm assigning all available rights in the wizard to a group called "Admins". However, after running this some objects below the OU do not receive the inherited rights. The ability to edit a couple user objects remains greyed out for a person in the Admin group and the Admins group does not show up in the "Security" tab of the problem object.

Replication is not the issue and the person trying to edit the user objects has logged out and back in before making the edit attempt.

What could be causing this?

Thanks,
Rick Virene
Jacobs Engineering

0
Comment
Question by:Virene
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10695903
Domain Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221930

Troubleshooting Group Policy in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp

Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Gpotool.exe: Group Policy Verification Tool
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp

Does windows2000 has security monitoring to know if somebody's overriding my group policy (GPO):
http://www.experts-exchange.com/Security/Win_Security/Q_20606772.html 

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Using the Group Policy Snap-in Focused on a Remote Computer
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_dbyy.asp

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

Group Policy to Remove Program May Not Be Applied to Some Users and Computers
http://support.microsoft.com/default.aspx?scid=kb;en-us;240790

Remember to Enforce a Remote Access Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313082&sd=tech 

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 10698211
If the user objects in question are (or have been at some point) members of the Administrators group (or another protected group; this can include nested groups!), then that's why. Control over protected groups can by default not be delegated.

Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/?kbid=817433

Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Some other links that might be of interest when delegating rights:

Have a lok at "Setting Permissions on Active Directory Objects" found here:
Chapter 12 - Access Control
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part2/dsgch12.mspx

How to Modify the Filtered Properties of an Object
http://support.microsoft.com/?kbid=296490

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952

Securing Active Directory
By Sakari Kouti and Mike Seitsonen
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/securead.mspx


And some more general links:

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

HOWTO: Customize the Task List in the Delegation Wizard
http://support.microsoft.com/?kbid=308404

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873
0
 

Author Comment

by:Virene
ID: 10708912
Thanks, guys for your responses. We had determined that there were GPOs involved. We found that all objects not receiving inherited rights were members of the Server Operators protected group. So this article was a direct hit: Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Rick Virene
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question