Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Microsoft Server 2003 Active Directory Permissions Issue

Posted on 2011-03-16
4
Medium Priority
?
692 Views
Last Modified: 2012-05-11
I have a user in active directory on our Microsoft Server 2003 domain controller that I am having a permissions issue with.

I need the user to inherit permissions from the domain controller, so I go into the users account, click the security tab, click the advanced button, and Check the box that says "Allow inheritable permissions from the parent to propagate to this object and all child objects"  When I do that and hit the apply button the permissions that i need appear in the window above and tell me they are inherited from the domain controller.

So its all good and fine, but then, whenever the domain controller does an update, it automatically REMOVES the check mark from the box and the inherited permissions disappear.

The only thing that I have read that might cause this is if the user is a member of a Microsoft designated "protected group."  Problem is, this user isn't a member of any protected groups.  Only Domain Users and a group for the department hes in within the company.  And all the other people that are in that department group have the same box checked in their accounts and it stays there.

What else could be turning off the inherit permissions for this user account?
0
Comment
Question by:gedruspax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 2000 total points
ID: 35147767
Most likely to do with Protected Groups (either currently a member or was a past member):

http://support.microsoft.com/?kbid=817433

For these groups, delegated permissions are not available and as a result inheritance is automatically disabled.

DrUltima
0
 

Author Comment

by:gedruspax
ID: 35147848
He did USED to be in a protected group but he isn't any longer.

So how do i keep it from revoking delegated permissions?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35148128
When a user account is added to a Protected group, AD changes it in the background.  I am not sure exactly how it is changed.  I suppose you could use a tool like ASDI Edit to do a comparison of his account to another account which was never protected, but I am not sure it would be worth it.  

If I was in your shoes, I might just rename and disable his old AD account and create a new one.  Change group memberships, mail association, etc., and move along, as it were.

You other choice is to modify AD to allow inheritance, as described in the KB above.

DrUltima
0
 

Author Closing Comment

by:gedruspax
ID: 35167409
I went into active directory and changed the SD holder to inherit permissions from parent.  after i did that the permissions are inheriting correctly.

thanks again!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question