Solved

Microsoft Server 2003 Active Directory Permissions Issue

Posted on 2011-03-16
4
687 Views
Last Modified: 2012-05-11
I have a user in active directory on our Microsoft Server 2003 domain controller that I am having a permissions issue with.

I need the user to inherit permissions from the domain controller, so I go into the users account, click the security tab, click the advanced button, and Check the box that says "Allow inheritable permissions from the parent to propagate to this object and all child objects"  When I do that and hit the apply button the permissions that i need appear in the window above and tell me they are inherited from the domain controller.

So its all good and fine, but then, whenever the domain controller does an update, it automatically REMOVES the check mark from the box and the inherited permissions disappear.

The only thing that I have read that might cause this is if the user is a member of a Microsoft designated "protected group."  Problem is, this user isn't a member of any protected groups.  Only Domain Users and a group for the department hes in within the company.  And all the other people that are in that department group have the same box checked in their accounts and it stays there.

What else could be turning off the inherit permissions for this user account?
0
Comment
Question by:gedruspax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 35147767
Most likely to do with Protected Groups (either currently a member or was a past member):

http://support.microsoft.com/?kbid=817433

For these groups, delegated permissions are not available and as a result inheritance is automatically disabled.

DrUltima
0
 

Author Comment

by:gedruspax
ID: 35147848
He did USED to be in a protected group but he isn't any longer.

So how do i keep it from revoking delegated permissions?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35148128
When a user account is added to a Protected group, AD changes it in the background.  I am not sure exactly how it is changed.  I suppose you could use a tool like ASDI Edit to do a comparison of his account to another account which was never protected, but I am not sure it would be worth it.  

If I was in your shoes, I might just rename and disable his old AD account and create a new one.  Change group memberships, mail association, etc., and move along, as it were.

You other choice is to modify AD to allow inheritance, as described in the KB above.

DrUltima
0
 

Author Closing Comment

by:gedruspax
ID: 35167409
I went into active directory and changed the SD holder to inherit permissions from parent.  after i did that the permissions are inheriting correctly.

thanks again!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question