Security Permissions Keep Dissappearing

We were previously using Motorola Good server to push our Email. We just switched to a BlackBerry Server.  The problem is related to the "Send As".

When I go into my user in AD and go to the 'security tab', I add "Admin.Blackberry" with 'send as' permission.  Everything works. Problem is, every hour or so "Admin.Blackberry" dissapears and the old "Admin.Good" account gets readded. The "Admin.Good"  account has been removed but is still getting added, although now it is showing  '(S-1-5-21-2132901703-831487806-891584314-8331)' instead of the name. I know this is reprensting the old "Admin.Good" account.

I'm sure it has to do with inheriting object permsions and such, but I can't find how to prevent this incident from happening.

Dwight CraneIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmmm it looks is related to AdminSDHolder object. This means that at every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object: CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.
Check this:
Dwight CraneIT ManagerAuthor Commented:
My fault for not saying in the question, but I did tag it. Our environment runs on Windows 2003 .. the solution you reference is for 2000.  
meugen is correct, the problem lays in the ADminSDHolder. This object in AD stores the permissions for Domain Admins in your domain. If you add permissions on a user who is a domain admin, once a hour your domain will reset it to look like the AdminSDHolder object again.

To fix, you will need to fix the permission on that object. Unfortunetly this object isnt a "User" object so it is hard to use the GUI to fix. You may need to use the DSACLS command.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Dwight CraneIT ManagerAuthor Commented:
That is true, it is the Domain Admin that is having Permissions reset. This all sounds right. It is just on the link for the fix it said for 2000 only. there is a DSACLS command built into 2003 however it is unclear how I would use it to clear up this problem.
The same issue applys to 2003. Microsoft isnt known for writing easy to read KB articles ;)

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=com" /G "DOMAINNAME\BESadmin:CA;Send As"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dwight CraneIT ManagerAuthor Commented:
Ok, you've nailed it.. but I have a an issue.. This is what happens.
On the DC, I open command prompt. then type in teh following..
dsacls "cn=adminsdholder,cn=system,dc=Steerman,dc=com" /G "STEERMAN\Admin.Blackberry:CA;Send As"

It tells me "specified domain either does not exist or could not be contacted".  So I tried full Object name Steerman.Parkwood and got the same result.  is it because of the dc=com?
yah its something w/ your domain. Look in AD to verify if "" is listed as your Domain.
Dwight CraneIT ManagerAuthor Commented:
it's not a .com  domain is Steerman.Parkwood .. (this was created before I took over)
Ok. chnge the dsacls string to match...

Dwight CraneIT ManagerAuthor Commented:
So I tried ... dsacls "cn=adminsdholder,cn=system,dc=Steerman,dc=ParkWood" /G "STEERMAN\Admin.Blackberry:CA;Send As"

And this is what I got (see attachment)

Great! The command completed Successfully. Wait an hour for the permissions to get sent to your objects and lets see how we do!
Dwight CraneIT ManagerAuthor Commented:
Yeap.. everything seems to be working now thanks !! You're my hero...  ALthough now I'm having a MAPI issue for Blackberry Manager, I'll post that one seperately..

Thanks Again
Could you please mark my solution as the "Accepted" one rather than the "assisted" one? This will help other users find a solution easier when searching.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.