Solved

Allow inheritable permission

Posted on 2007-11-15
8
698 Views
Last Modified: 2010-08-05
I'm have a problem with some not all of my object in Active Directory. There are some user object, even thought the container has the check mark under Properties/Security/Advanced 'Allow inheritable permissions from the parent...'

Even trying to manualy manipulate the use obejct and check that option, 8 to 12 hours later is disappears.

Any help would be greatly appreciated

Windows 2003R2 server all the latest patches.
0
Comment
Question by:aborquez
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Expert Comment

by:mcse2007
ID: 20295361
What type of domain structure you have (e.g forest, parent, child domain) ?

If you are using a parent admin account and changing user's object security rights in child domain, ensure both of these domains are on the same domain controller level (e.g  2000 native, 2003).


0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20295797
I have seen an ms article on this from oBdA but for the life of me i cannot find it - i would start trauling technet if i were you, ill do the same but there is deffinitely an article
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20296435
both the parent and the child domain must be on the same domain functional level to solve this problem.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20296445
I didnt see a single mention of a parent - child infrastructure
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 20296937
These users are (or have been at one point) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers); check here for details.
Inheritance on these accounts is removed (mostly) on purpose; there is only a problem that if a user is removed from a protected group, the inheritance flag isn't reset automatically.

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433
0
 

Author Comment

by:aborquez
ID: 20300352
Single domain no child

oBdAo - Yes one fo the accoutns was a member of a protected group, but even after I removed them and reflagged the inheritable permissions flag it goes away... I'll check the KB you attached and see if that help.

All comments help. Thanks everyone.
0
 

Author Comment

by:aborquez
ID: 20300409
YES!!! the KB did help... Looks like after being a member of a protected group there is more than just choosing the inheritance option within the GUI profile. I have to run this script to set the admin acoutn to 0 instead of 1.

Thanks oBda
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now