• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 391
  • Last Modified:

Security Permissions Keep Dissappearing

We were previously using Motorola Good server to push our Email. We just switched to a BlackBerry Server.  The problem is related to the "Send As".

When I go into my user in AD and go to the 'security tab', I add "Admin.Blackberry" with 'send as' permission.  Everything works. Problem is, every hour or so "Admin.Blackberry" dissapears and the old "Admin.Good" account gets readded. The "Admin.Good"  account has been removed but is still getting added, although now it is showing  '(S-1-5-21-2132901703-831487806-891584314-8331)' instead of the name. I know this is reprensting the old "Admin.Good" account.

I'm sure it has to do with inheriting object permsions and such, but I can't find how to prevent this incident from happening.


0
MushroomStamp
Asked:
MushroomStamp
  • 7
  • 6
1 Solution
 
meugenCommented:
Hmmm it looks is related to AdminSDHolder object. This means that at every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object: CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.
 
Check this: http://support.microsoft.com/kb/232199
0
 
MushroomStampAuthor Commented:
My fault for not saying in the question, but I did tag it. Our environment runs on Windows 2003 .. the solution you reference is for 2000.  
0
 
ALogvinCommented:
meugen is correct, the problem lays in the ADminSDHolder. This object in AD stores the permissions for Domain Admins in your domain. If you add permissions on a user who is a domain admin, once a hour your domain will reset it to look like the AdminSDHolder object again.

To fix, you will need to fix the permission on that object. Unfortunetly this object isnt a "User" object so it is hard to use the GUI to fix. You may need to use the DSACLS command.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
MushroomStampAuthor Commented:
That is true, it is the Domain Admin that is having Permissions reset. This all sounds right. It is just on the link for the fix it said for 2000 only. there is a DSACLS command built into 2003 however it is unclear how I would use it to clear up this problem.
0
 
ALogvinCommented:
The same issue applys to 2003. Microsoft isnt known for writing easy to read KB articles ;)

dsacls "cn=adminsdholder,cn=system,dc=domainname,dc=com" /G "DOMAINNAME\BESadmin:CA;Send As"
0
 
ALogvinCommented:
0
 
MushroomStampAuthor Commented:
Ok, you've nailed it.. but I have a an issue.. This is what happens.
On the DC, I open command prompt. then type in teh following..
dsacls "cn=adminsdholder,cn=system,dc=Steerman,dc=com" /G "STEERMAN\Admin.Blackberry:CA;Send As"

It tells me "specified domain either does not exist or could not be contacted".  So I tried full Object name Steerman.Parkwood and got the same result.  is it because of the dc=com?
0
 
ALogvinCommented:
yah its something w/ your domain. Look in AD to verify if "Steerman.com" is listed as your Domain.
0
 
MushroomStampAuthor Commented:
it's not a .com  domain is Steerman.Parkwood .. (this was created before I took over)
0
 
ALogvinCommented:
Ok. chnge the dsacls string to match...

dc=Steerman,dc=Parkwood
0
 
MushroomStampAuthor Commented:
So I tried ... dsacls "cn=adminsdholder,cn=system,dc=Steerman,dc=ParkWood" /G "STEERMAN\Admin.Blackberry:CA;Send As"

And this is what I got (see attachment)

results.txt
0
 
ALogvinCommented:
Great! The command completed Successfully. Wait an hour for the permissions to get sent to your objects and lets see how we do!
0
 
MushroomStampAuthor Commented:
Yeap.. everything seems to be working now thanks !! You're my hero...  ALthough now I'm having a MAPI issue for Blackberry Manager, I'll post that one seperately..

Thanks Again
0
 
ALogvinCommented:
Could you please mark my solution as the "Accepted" one rather than the "assisted" one? This will help other users find a solution easier when searching.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now