Solved

Microsoft Server 2003 Active Directory Permissions Issue

Posted on 2011-03-16
4
679 Views
Last Modified: 2012-05-11
I have a user in active directory on our Microsoft Server 2003 domain controller that I am having a permissions issue with.

I need the user to inherit permissions from the domain controller, so I go into the users account, click the security tab, click the advanced button, and Check the box that says "Allow inheritable permissions from the parent to propagate to this object and all child objects"  When I do that and hit the apply button the permissions that i need appear in the window above and tell me they are inherited from the domain controller.

So its all good and fine, but then, whenever the domain controller does an update, it automatically REMOVES the check mark from the box and the inherited permissions disappear.

The only thing that I have read that might cause this is if the user is a member of a Microsoft designated "protected group."  Problem is, this user isn't a member of any protected groups.  Only Domain Users and a group for the department hes in within the company.  And all the other people that are in that department group have the same box checked in their accounts and it stays there.

What else could be turning off the inherit permissions for this user account?
0
Comment
Question by:gedruspax
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
DrUltima earned 500 total points
ID: 35147767
Most likely to do with Protected Groups (either currently a member or was a past member):

http://support.microsoft.com/?kbid=817433

For these groups, delegated permissions are not available and as a result inheritance is automatically disabled.

DrUltima
0
 

Author Comment

by:gedruspax
ID: 35147848
He did USED to be in a protected group but he isn't any longer.

So how do i keep it from revoking delegated permissions?
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 35148128
When a user account is added to a Protected group, AD changes it in the background.  I am not sure exactly how it is changed.  I suppose you could use a tool like ASDI Edit to do a comparison of his account to another account which was never protected, but I am not sure it would be worth it.  

If I was in your shoes, I might just rename and disable his old AD account and create a new one.  Change group memberships, mail association, etc., and move along, as it were.

You other choice is to modify AD to allow inheritance, as described in the KB above.

DrUltima
0
 

Author Closing Comment

by:gedruspax
ID: 35167409
I went into active directory and changed the SD holder to inherit permissions from parent.  after i did that the permissions are inheriting correctly.

thanks again!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now