Solved

Active Directory User Account Permissions Mysteriously Reset

Posted on 2006-06-22
3
285 Views
Last Modified: 2008-02-26
I am having trouble getting permissions set in Active Directory to "Set".  I am setting a permission for a user account to have the "Send As" permission.  what happens is I set the permission and test that it works.  some time later (about an hour or so) I'll get a call that the user cannot on behalf again.  I check the permissions and the one I created has mysteriously disappeared!  this also happens if I use the inherit permissions tickbox, I go back and the tick is removed and the permissions are gone!  p

Please help as this is driving me round the twist.  
0
Comment
Question by:FOSnet
3 Comments
 
LVL 26

Accepted Solution

by:
Pber earned 250 total points
ID: 17010491
It's most likely those users are in protected groups.  Once an hour the DC will compare ACLs on all objects for those objects in admin groups with what is in AdminSDHolder container, if they are different it resets the permission on those objects to what is set on the AdminSDHolder object.

Check out these articles


Description and Update of the Active Directory AdminSDHolder Object

http://support.microsoft.com/?id=232199
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
http://support.microsoft.com/?id=318180
Delegated permissions are not available and inheritance is automatically
disabled
http://support.microsoft.com/?id=817433
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
http://support.microsoft.com/?id=306398
Security tab of the adminSDHolder object does not display all properties
http://support.microsoft.com/?id=301188
"You do not have sufficient permissions in the Domain" error message occurs
and Exchange Setup does not respond
http://support.microsoft.com/?id=319966
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question