Solved

Allow inheritable permission

Posted on 2007-11-15
8
697 Views
Last Modified: 2010-08-05
I'm have a problem with some not all of my object in Active Directory. There are some user object, even thought the container has the check mark under Properties/Security/Advanced 'Allow inheritable permissions from the parent...'

Even trying to manualy manipulate the use obejct and check that option, 8 to 12 hours later is disappears.

Any help would be greatly appreciated

Windows 2003R2 server all the latest patches.
0
Comment
Question by:aborquez
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Expert Comment

by:mcse2007
ID: 20295361
What type of domain structure you have (e.g forest, parent, child domain) ?

If you are using a parent admin account and changing user's object security rights in child domain, ensure both of these domains are on the same domain controller level (e.g  2000 native, 2003).


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20295797
I have seen an ms article on this from oBdA but for the life of me i cannot find it - i would start trauling technet if i were you, ill do the same but there is deffinitely an article
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20296435
both the parent and the child domain must be on the same domain functional level to solve this problem.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20296445
I didnt see a single mention of a parent - child infrastructure
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 20296937
These users are (or have been at one point) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers); check here for details.
Inheritance on these accounts is removed (mostly) on purpose; there is only a problem that if a user is removed from a protected group, the inheritance flag isn't reset automatically.

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433
0
 

Author Comment

by:aborquez
ID: 20300352
Single domain no child

oBdAo - Yes one fo the accoutns was a member of a protected group, but even after I removed them and reflagged the inheritable permissions flag it goes away... I'll check the KB you attached and see if that help.

All comments help. Thanks everyone.
0
 

Author Comment

by:aborquez
ID: 20300409
YES!!! the KB did help... Looks like after being a member of a protected group there is more than just choosing the inheritance option within the GUI profile. I have to run this script to set the admin acoutn to 0 instead of 1.

Thanks oBda
0

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now