Losing Permissions on Active Directory Accounts

Posted on 2007-10-04
Last Modified: 2010-01-29
We have noticed over the past year that some of our users are having permission issues in active directory. Generally, an account has the following permissions.
Account operators
Authenticated Users
Domain Admins
Enterprise Admins

What we are noticing is several accounts are missing all but 4 of these. If you view the security on the user, you can go to advance, remove all permissions and hit default and all the correct permissions go back. However, in about 5 to 10 minutes, the permissions change back.

The permissions it changes back to is:
Authenticated Users
Domain Admins
Exchange Enterprise Servers

This doesn't matter if the person is a domain user, domain admin, or exchange admin.
I've tried through ASDI edit to force it and it changes back.

Any ideas?
Question by:lsbgfl
    LVL 30

    Accepted Solution

    This is a known behaviour for members of elevated groups such as Domain Admins, Account Operators, etc.

    A description of the behaviour and some potential workarounds can be found here:
    LVL 4

    Expert Comment

    Do you have any GPOs configured with Restrictive groups or are you using a 3rd party tool (eg Quest) which controls AD?  

    Author Comment

    I will check that link Laura and get back. Thanks.

    I do not have any special GPO's for the other users. For regular domain users, I do have a user GPO set and for our IT group, I have then denied to that portion. However the issue is within the IT group only which vary from minimal permissions up to domain admins.

    Author Comment

    That link seemed to do it. If anyone knows how to add the Send As permissions through that, please let me know. I see the other permissions but nothing that relates to it.

    I appreciate it very much.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now