Allow inheritable permission

I'm have a problem with some not all of my object in Active Directory. There are some user object, even thought the container has the check mark under Properties/Security/Advanced 'Allow inheritable permissions from the parent...'

Even trying to manualy manipulate the use obejct and check that option, 8 to 12 hours later is disappears.

Any help would be greatly appreciated

Windows 2003R2 server all the latest patches.
aborquezAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
These users are (or have been at one point) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers); check here for details.
Inheritance on these accounts is removed (mostly) on purpose; there is only a problem that if a user is removed from a protected group, the inheritance flag isn't reset automatically.

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433
0
 
mcse2007Commented:
What type of domain structure you have (e.g forest, parent, child domain) ?

If you are using a parent admin account and changing user's object security rights in child domain, ensure both of these domains are on the same domain controller level (e.g  2000 native, 2003).


0
 
Jay_Jay70Commented:
I have seen an ms article on this from oBdA but for the life of me i cannot find it - i would start trauling technet if i were you, ill do the same but there is deffinitely an article
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
mcse2007Commented:
both the parent and the child domain must be on the same domain functional level to solve this problem.
0
 
Jay_Jay70Commented:
I didnt see a single mention of a parent - child infrastructure
0
 
aborquezAuthor Commented:
Single domain no child

oBdAo - Yes one fo the accoutns was a member of a protected group, but even after I removed them and reflagged the inheritable permissions flag it goes away... I'll check the KB you attached and see if that help.

All comments help. Thanks everyone.
0
 
aborquezAuthor Commented:
YES!!! the KB did help... Looks like after being a member of a protected group there is more than just choosing the inheritance option within the GUI profile. I have to run this script to set the admin acoutn to 0 instead of 1.

Thanks oBda
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.