lsbgfl
asked on
Losing Permissions on Active Directory Accounts
We have noticed over the past year that some of our users are having permission issues in active directory. Generally, an account has the following permissions.
Account operators
Administrators
Authenticated Users
Domain Admins
Enterprise Admins
Self
System
etc.
What we are noticing is several accounts are missing all but 4 of these. If you view the security on the user, you can go to advance, remove all permissions and hit default and all the correct permissions go back. However, in about 5 to 10 minutes, the permissions change back.
The permissions it changes back to is:
Authenticated Users
Domain Admins
Exchange Enterprise Servers
System
This doesn't matter if the person is a domain user, domain admin, or exchange admin.
I've tried through ASDI edit to force it and it changes back.
Any ideas?
Account operators
Administrators
Authenticated Users
Domain Admins
Enterprise Admins
Self
System
etc.
What we are noticing is several accounts are missing all but 4 of these. If you view the security on the user, you can go to advance, remove all permissions and hit default and all the correct permissions go back. However, in about 5 to 10 minutes, the permissions change back.
The permissions it changes back to is:
Authenticated Users
Domain Admins
Exchange Enterprise Servers
System
This doesn't matter if the person is a domain user, domain admin, or exchange admin.
I've tried through ASDI edit to force it and it changes back.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
DeanC30
Do you have any GPOs configured with Restrictive groups or are you using a 3rd party tool (eg Quest) which controls AD?
ASKER
I will check that link Laura and get back. Thanks.
DeanC30:
I do not have any special GPO's for the other users. For regular domain users, I do have a user GPO set and for our IT group, I have then denied to that portion. However the issue is within the IT group only which vary from minimal permissions up to domain admins.
DeanC30:
I do not have any special GPO's for the other users. For regular domain users, I do have a user GPO set and for our IT group, I have then denied to that portion. However the issue is within the IT group only which vary from minimal permissions up to domain admins.
ASKER
That link seemed to do it. If anyone knows how to add the Send As permissions through that, please let me know. I see the other permissions but nothing that relates to it.
I appreciate it very much.
I appreciate it very much.