Solved

Changes to user security settings will stick

Posted on 2007-03-22
3
822 Views
Last Modified: 2013-12-04
I have just setup BlackBerry Enterprise server on a Windows SBS 2003 domain controller.  When setting up the Blackberry software, I had to add a new user to the domain (BESadmin) in order to properly setup the software.  For the Blackberry software to work, I have to give the user BESadmin "Send As" permissions for the entire domain.

Problem:  While I am able to properly add the BESadmin to the entire domain and to the organizational unit, I cannot do the same for the individual user account.  There is only one user who I need the BESadmin to have Send As permission for, but their account is set to not inherit permissions, and when I make any changes to their security settings they seem to apply fine but are later removed when I check back in.  Since the Blackberry software tells you to wait 20 minutes before restarting their software, I wait each time I have changed the users security settings and go back for a final check and they have always changed back.

What can I do to get my changes to stick??
0
Comment
Question by:doulos777
  • 2
3 Comments
 
LVL 10

Accepted Solution

by:
abraham808 earned 500 total points
ID: 18773323
Make sure they are not a Domain Admin or Account Operators or any one of the protected accounts:
http://support.microsoft.com/kb/817433

Method 2: Enable inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the adminSDHolder container back to the pre-Service Pack 4 functionality.
Enabling inheritance on the adminSDHolder container
If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container: 1. Right-click the container, and then click Properties.
2. Click the Security tab.  
3. Click Advanced.  
4. Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
5. Click OK, and then click Close.  
The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).

0
 

Author Comment

by:doulos777
ID: 18773527
The user was setup (by previous IT staff) as a domain admin.  I have removed that setting and re-applied the needed security.  I will let you know how things turn out.
0
 

Author Comment

by:doulos777
ID: 18775878
WORKED GREAT!!

The user was also a Domain Admin.  Once I removed that setting, they were able to get and keep new permissions.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS2011 - Supporting Win10 11 50
SBS 2011 corrupt database 3 72
Exchange 2010 - Two email addresses - OOF on one 45 68
Move for SBS 2011 to Office 365 3 25
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now