AD account will not retain permissions

I run a Win 2003 AD enterprise.  I have a user account that will simply not retain permissions that are set on it under the advanced features, security tab in AD Users and Computers.  I check the allow inheritable permissions box under advanced and I also have applied a couple of explicit permissions on this object. I then push out a replication using replmon to make sure the other DC's are updated.  Within 45 mins or so the allow inheritable box is unchecked agaion and the explicit advanced permissions I had set are gone.  I have tried this succesfully wth other users in the same OU and it worked fine.  I have also reviewed this users attributes in ADSI Edit and nothing seems to look wrong - although I do not know every single attribute.  This happened to me a few months ago with another account in a different OU and all I could do was delete and recreate the object.  I'd like to avoid doing that if possible but I am not sure what else I can do or what would cause the object to not retain the permissions settings.  
mrsmileynsAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
If the user objects in question are (or have been at some point) members of the Administrators group (or another protected group; this can include nested groups!), then that's why. Control over protected groups can by default not be delegated.

Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled
http://support.microsoft.com/?kbid=817433

Description and Update of the Active Directory AdminSDHolder Object
http://support.microsoft.com/?kbid=232199
0
 
mrsmileynsAuthor Commented:
This is very interesting - I am not sure if this user was part of a protected group in the past but it would explain the behavior.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.