Solved

OU Delegated Rights Not Inherited

Posted on 2004-03-27
3
824 Views
Last Modified: 2013-12-04
I'm running the Delegation of Control wizard at an OU level. I'm assigning all available rights in the wizard to a group called "Admins". However, after running this some objects below the OU do not receive the inherited rights. The ability to edit a couple user objects remains greyed out for a person in the Admin group and the Admins group does not show up in the "Security" tab of the problem object.

Replication is not the issue and the person trying to edit the user objects has logged out and back in before making the edit attempt.

What could be causing this?

Thanks,
Rick Virene
Jacobs Engineering

0
Comment
Question by:Virene
3 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10695903
Domain Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221930

Troubleshooting Group Policy in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/management/gptshoot.asp

Local Group Policy Settings Do Not Take Effect
http://support.microsoft.com/default.aspx?scid=kb;en-us;220862

Gpotool.exe: Group Policy Verification Tool
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp

Does windows2000 has security monitoring to know if somebody's overriding my group policy (GPO):
http://www.experts-exchange.com/Security/Win_Security/Q_20606772.html

Using Secedit.exe to Force Group Policy (GPO) to Be Applied Again:
http://support.microsoft.com/default.aspx?scid=kb;en-us;227448

Refresh policy from windows 2000 server:
1. Start / Run
2. CMD / ENTER
3. SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE
4. SECEDIT /REFRESHPOLICY USER_POLICY /ENFORCE
5. EXIT

Gpupdate - Refreshes local and Active Directory-based Group Policy settings in Windows XP
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/refrgp.mspx

Using the Group Policy Snap-in Focused on a Remote Computer
http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_dbyy.asp

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900

Group Policy to Remove Program May Not Be Applied to Some Users and Computers
http://support.microsoft.com/default.aspx?scid=kb;en-us;240790

Remember to Enforce a Remote Access Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313082&sd=tech

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 10698211
If the user objects in question are (or have been at some point) members of the Administrators group (or another protected group; this can include nested groups!), then that's why. Control over protected groups can by default not be delegated.

Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/?kbid=817433

Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Some other links that might be of interest when delegating rights:

Have a lok at "Setting Permissions on Active Directory Objects" found here:
Chapter 12 - Access Control
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part2/dsgch12.mspx

How to Modify the Filtered Properties of an Object
http://support.microsoft.com/?kbid=296490

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952

Securing Active Directory
By Sakari Kouti and Mike Seitsonen
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/securead.mspx


And some more general links:

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

HOWTO: Customize the Task List in the Delegation Wizard
http://support.microsoft.com/?kbid=308404

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873
0
 

Author Comment

by:Virene
ID: 10708912
Thanks, guys for your responses. We had determined that there were GPOs involved. We found that all objects not receiving inherited rights were members of the Server Operators protected group. So this article was a direct hit: Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199

Rick Virene
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
OfficeMate Freezes on login or does not load after login credentials are input.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now