Link to home
Start Free TrialLog in
Avatar of Ambusticated
AmbusticatedFlag for United States of America

asked on

AD Permissions for Domain Users NIGHTMARE

Okay, it's not a nightmare -- but it is a major concern. Maybe I am just confused about a basic tenent of Active Directory. If this is the care, please tell me.

When I use AD Users & Computers and click on the Security Tab of regular, everyday users, there are listings for Administrators, Cert Publishers, Enterprise Admins, etc.

Does this mean these USERS have these permissions? Or does it simply mean that those Admin groups have authority over these users?

I'd look this up myself, but I am dead tired from a long weekend of rolling out a new SBS 2003 R2. One reason I am curious and worried is that I was on a tech support call with a 3rd party vendor late last night. His solution to a problem we were having with their software was to edit some User Permissions that involed setting some "inherit" admin functions.

I've already had six Mtn Dew so far today, but I'm still thinking pretty blurry. Otherwise, the network rollout has been a huge success per the users. I figure I have to worry about something, so this is what I am worrying about right now.

Thanks for helping me out.
Avatar of tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When I say "(should always be groups in there, don't hard code custom permissions to user objects)", I mean it is good practice, and very useful for the future, not to hard program a particular user account into ANY security tab of any object anywhere on the network. By doing so, you make it very, very difficult in the future to easily grant another user those same permissions, since you would have to manually hard code that user in 10, 15, 20 places. If you use security groups (it doesn't matter if a particular group only has one user object in its members) you just add a user as a member of the security group, and the permissions are inherited down automatically.
Avatar of Ambusticated


Precise, clearly stated and expert reply. Always a please dealing with you!