Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 710
  • Last Modified:

Allow inheritable permission

I'm have a problem with some not all of my object in Active Directory. There are some user object, even thought the container has the check mark under Properties/Security/Advanced 'Allow inheritable permissions from the parent...'

Even trying to manualy manipulate the use obejct and check that option, 8 to 12 hours later is disappears.

Any help would be greatly appreciated

Windows 2003R2 server all the latest patches.
0
aborquez
Asked:
aborquez
  • 2
  • 2
  • 2
  • +1
1 Solution
 
mcse2007Commented:
What type of domain structure you have (e.g forest, parent, child domain) ?

If you are using a parent admin account and changing user's object security rights in child domain, ensure both of these domains are on the same domain controller level (e.g  2000 native, 2003).


0
 
Jay_Jay70Commented:
I have seen an ms article on this from oBdA but for the life of me i cannot find it - i would start trauling technet if i were you, ill do the same but there is deffinitely an article
0
 
mcse2007Commented:
both the parent and the child domain must be on the same domain functional level to solve this problem.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
Jay_Jay70Commented:
I didnt see a single mention of a parent - child infrastructure
0
 
oBdACommented:
These users are (or have been at one point) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers); check here for details.
Inheritance on these accounts is removed (mostly) on purpose; there is only a problem that if a user is removed from a protected group, the inheritance flag isn't reset automatically.

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433
0
 
aborquezAuthor Commented:
Single domain no child

oBdAo - Yes one fo the accoutns was a member of a protected group, but even after I removed them and reflagged the inheritable permissions flag it goes away... I'll check the KB you attached and see if that help.

All comments help. Thanks everyone.
0
 
aborquezAuthor Commented:
YES!!! the KB did help... Looks like after being a member of a protected group there is more than just choosing the inheritance option within the GUI profile. I have to run this script to set the admin acoutn to 0 instead of 1.

Thanks oBda
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now