Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Microsoft Server 2003 Active Directory Permissions Issue

Posted on 2011-03-16
4
Medium Priority
?
695 Views
Last Modified: 2012-05-11
I have a user in active directory on our Microsoft Server 2003 domain controller that I am having a permissions issue with.

I need the user to inherit permissions from the domain controller, so I go into the users account, click the security tab, click the advanced button, and Check the box that says "Allow inheritable permissions from the parent to propagate to this object and all child objects"  When I do that and hit the apply button the permissions that i need appear in the window above and tell me they are inherited from the domain controller.

So its all good and fine, but then, whenever the domain controller does an update, it automatically REMOVES the check mark from the box and the inherited permissions disappear.

The only thing that I have read that might cause this is if the user is a member of a Microsoft designated "protected group."  Problem is, this user isn't a member of any protected groups.  Only Domain Users and a group for the department hes in within the company.  And all the other people that are in that department group have the same box checked in their accounts and it stays there.

What else could be turning off the inherit permissions for this user account?
0
Comment
Question by:gedruspax
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Justin Owens earned 2000 total points
ID: 35147767
Most likely to do with Protected Groups (either currently a member or was a past member):

http://support.microsoft.com/?kbid=817433

For these groups, delegated permissions are not available and as a result inheritance is automatically disabled.

DrUltima
0
 

Author Comment

by:gedruspax
ID: 35147848
He did USED to be in a protected group but he isn't any longer.

So how do i keep it from revoking delegated permissions?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35148128
When a user account is added to a Protected group, AD changes it in the background.  I am not sure exactly how it is changed.  I suppose you could use a tool like ASDI Edit to do a comparison of his account to another account which was never protected, but I am not sure it would be worth it.  

If I was in your shoes, I might just rename and disable his old AD account and create a new one.  Change group memberships, mail association, etc., and move along, as it were.

You other choice is to modify AD to allow inheritance, as described in the KB above.

DrUltima
0
 

Author Closing Comment

by:gedruspax
ID: 35167409
I went into active directory and changed the SD holder to inherit permissions from parent.  after i did that the permissions are inheriting correctly.

thanks again!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question