Solved

Allow inheritable permission

Posted on 2007-11-15
8
699 Views
Last Modified: 2010-08-05
I'm have a problem with some not all of my object in Active Directory. There are some user object, even thought the container has the check mark under Properties/Security/Advanced 'Allow inheritable permissions from the parent...'

Even trying to manualy manipulate the use obejct and check that option, 8 to 12 hours later is disappears.

Any help would be greatly appreciated

Windows 2003R2 server all the latest patches.
0
Comment
Question by:aborquez
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Expert Comment

by:mcse2007
ID: 20295361
What type of domain structure you have (e.g forest, parent, child domain) ?

If you are using a parent admin account and changing user's object security rights in child domain, ensure both of these domains are on the same domain controller level (e.g  2000 native, 2003).


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20295797
I have seen an ms article on this from oBdA but for the life of me i cannot find it - i would start trauling technet if i were you, ill do the same but there is deffinitely an article
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20296435
both the parent and the child domain must be on the same domain functional level to solve this problem.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20296445
I didnt see a single mention of a parent - child infrastructure
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 20296937
These users are (or have been at one point) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers); check here for details.
Inheritance on these accounts is removed (mostly) on purpose; there is only a problem that if a user is removed from a protected group, the inheritance flag isn't reset automatically.

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433
0
 

Author Comment

by:aborquez
ID: 20300352
Single domain no child

oBdAo - Yes one fo the accoutns was a member of a protected group, but even after I removed them and reflagged the inheritable permissions flag it goes away... I'll check the KB you attached and see if that help.

All comments help. Thanks everyone.
0
 

Author Comment

by:aborquez
ID: 20300409
YES!!! the KB did help... Looks like after being a member of a protected group there is more than just choosing the inheritance option within the GUI profile. I have to run this script to set the admin acoutn to 0 instead of 1.

Thanks oBda
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2003 Server DNS/FS errors 6 50
Need all users in AD Forest with some exception 30 39
Alert on Server memory 2 21
HP Printer on Windows 2003 Terminal Server 4 36
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question