Link to home
Start Free TrialLog in
Avatar of Florin Petrutiu
Florin PetrutiuFlag for United States of America

asked on

Permissions being overwritten automatically

Permissions of all users are overwritten after 30-50 minutes with default permissions in AD resulting in the Blackberry user not being able to send messages.  When you go in Active Directory in Advanced view and you open a user, under security tab, and you change a permission, AD overwrites the permissions after about an hour with default permissions. The user in not a member of any administrative group, nor the allow to pull permissions from the parent is checked. Any ideas?
Avatar of oBdA
oBdA

These users are (or have been at one point!) member of a "protected group" (Administrators, Account Operators, Server Operators, Print Operators, Backup Operators, Domain Admins, Schema Admins, Enterprise Admins, Cert Publishers, and Domain Power Users in SBS); check here for details:
The "Send As" right is removed from a user object after you configure the "Send As" right in the Active Directory Users and Computers snap-in in Exchange Server
http://support.microsoft.com/?kbid=907434

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/?kbid=817433

AdminSDHolder Thread Affects Transitive Members of Distribution Groups
http://support.microsoft.com/?kbid=318180

Security tab of the adminSDHolder object does not display all properties
http://support.microsoft.com/?kbid=301188
Avatar of Florin Petrutiu

ASKER

Yeah I was thinking of that as well, I have created a new user called "test" just to rule that out. I have made the permission change and it still did the same thing to it.  
ASKER CERTIFIED SOLUTION
Avatar of SowelaIT
SowelaIT

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
PS - I ran that command on the BES server.
You might want to make sure that there is no nested group membership that makes your users a member of any of the protected groups.
Another comparatively easy check is to use adsiedit.msc to check whether the adminCount attribute of these users is set to 1. If it is, then these users definitely have been or are still in a protected group.
I tried setting up a batch file to run every 5 minutes to re-apply the besadmin SendAs permissions. However, it would not inherit on to the problem user account due to permission inheritance being off.
After turning it back on, within 5 minutes it would turn off again. It just wouldn't stay.  

oBdA: this turned out to be the case in our situation. I cleared the adminCount attrib and they are still properly inheriting SendAs permissions after a good hour.
As it turns out the user was part of the Print Operators group which kept removing the permission inheritance, and setting their adminCount to 1.
It seems that this problem is acctually caused by FRS. I am trying to sove this issue see if that would help. I will write here if I find a solution.