Solved

Microsoft Server 2003 Active Directory Permissions Issue

Posted on 2011-03-16
4
680 Views
Last Modified: 2012-05-11
I have a user in active directory on our Microsoft Server 2003 domain controller that I am having a permissions issue with.

I need the user to inherit permissions from the domain controller, so I go into the users account, click the security tab, click the advanced button, and Check the box that says "Allow inheritable permissions from the parent to propagate to this object and all child objects"  When I do that and hit the apply button the permissions that i need appear in the window above and tell me they are inherited from the domain controller.

So its all good and fine, but then, whenever the domain controller does an update, it automatically REMOVES the check mark from the box and the inherited permissions disappear.

The only thing that I have read that might cause this is if the user is a member of a Microsoft designated "protected group."  Problem is, this user isn't a member of any protected groups.  Only Domain Users and a group for the department hes in within the company.  And all the other people that are in that department group have the same box checked in their accounts and it stays there.

What else could be turning off the inherit permissions for this user account?
0
Comment
Question by:gedruspax
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 500 total points
ID: 35147767
Most likely to do with Protected Groups (either currently a member or was a past member):

http://support.microsoft.com/?kbid=817433

For these groups, delegated permissions are not available and as a result inheritance is automatically disabled.

DrUltima
0
 

Author Comment

by:gedruspax
ID: 35147848
He did USED to be in a protected group but he isn't any longer.

So how do i keep it from revoking delegated permissions?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35148128
When a user account is added to a Protected group, AD changes it in the background.  I am not sure exactly how it is changed.  I suppose you could use a tool like ASDI Edit to do a comparison of his account to another account which was never protected, but I am not sure it would be worth it.  

If I was in your shoes, I might just rename and disable his old AD account and create a new one.  Change group memberships, mail association, etc., and move along, as it were.

You other choice is to modify AD to allow inheritance, as described in the KB above.

DrUltima
0
 

Author Closing Comment

by:gedruspax
ID: 35167409
I went into active directory and changed the SD holder to inherit permissions from parent.  after i did that the permissions are inheriting correctly.

thanks again!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Learn about cloud computing and its benefits for small business owners.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now