AD account will not retain permissions

Posted on 2006-06-08
Medium Priority
Last Modified: 2010-04-18
I run a Win 2003 AD enterprise.  I have a user account that will simply not retain permissions that are set on it under the advanced features, security tab in AD Users and Computers.  I check the allow inheritable permissions box under advanced and I also have applied a couple of explicit permissions on this object. I then push out a replication using replmon to make sure the other DC's are updated.  Within 45 mins or so the allow inheritable box is unchecked agaion and the explicit advanced permissions I had set are gone.  I have tried this succesfully wth other users in the same OU and it worked fine.  I have also reviewed this users attributes in ADSI Edit and nothing seems to look wrong - although I do not know every single attribute.  This happened to me a few months ago with another account in a different OU and all I could do was delete and recreate the object.  I'd like to avoid doing that if possible but I am not sure what else I can do or what would cause the object to not retain the permissions settings.  
Question by:mrsmileyns
LVL 85

Accepted Solution

oBdA earned 1000 total points
ID: 16865196
If the user objects in question are (or have been at some point) members of the Administrators group (or another protected group; this can include nested groups!), then that's why. Control over protected groups can by default not be delegated.

Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled

Description and Update of the Active Directory AdminSDHolder Object

Author Comment

ID: 16869408
This is very interesting - I am not sure if this user was part of a protected group in the past but it would explain the behavior.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question