OllarConsulting
asked on
W2k3 AD Users and Computers - Allow Inheritable Permissions Keeps Resetting?
I am encountering a very unusual error on a Windows 2003 DC. For some unknown reason, a handful of users do not have "Allow Inheritable Permissions..." checked in AD Users & Computers Security settings.
I can enable it, but then sometime over the course of the day it gets reset back to unchecked.
I have reviewed Event Viewer logs and don't see anything....
Thanks in advance!
I can enable it, but then sometime over the course of the day it gets reset back to unchecked.
I have reviewed Event Viewer logs and don't see anything....
Thanks in advance!
ASKER
Hmmm... the latest service packs are installed ( which is the suggested fix in the kb article ).
Is there a way to "undo" the delegation of control?
Is there a way to "undo" the delegation of control?
Does it revert back in about an hour. Are those users or were those users ever a member of any elevated groups.
Sounds like you are being affected by the adminsdholder process. More on that http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
You can also search for more on adminsdholder.
Thanks
Mike
Sounds like you are being affected by the adminsdholder process. More on that http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
You can also search for more on adminsdholder.
Thanks
Mike
Have you tested your replication in AD? Are you making the change on the PDC role holder or another DC in your environment. If you are having replicaiton conflicts and you are making this change on a DC that is not holding the PDC role the PDC always wins when there are replication conflists.
The other thought is someone is changing the vaules back.
In order to accomplish this you are going to need to view the security logs on each of the domain controllers. I would suggest increasing the log size so that they do not over-write old events. If you have many DC's in your environment this will be time consuming and difficult to track down.
I would recommend a product called ADAudit Plus which is not free but you can download a fully featured version for 30 days. This should definitly help tracking down the changes if this is the issue.
AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/
Will.
The other thought is someone is changing the vaules back.
In order to accomplish this you are going to need to view the security logs on each of the domain controllers. I would suggest increasing the log size so that they do not over-write old events. If you have many DC's in your environment this will be time consuming and difficult to track down.
I would recommend a product called ADAudit Plus which is not free but you can download a fully featured version for 30 days. This should definitly help tracking down the changes if this is the issue.
AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/
Will.
ASKER
It does appear to be resetting in about an hour and I am making the changes on the PDC....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://support.microsoft.com/kb/817433/en-us