Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD Account Security Settings Not Holding

Posted on 2015-02-02
9
Medium Priority
?
102 Views
Last Modified: 2015-06-30
Greetings,

I've uncovered a weird situation where I have a couple accounts that are not maintaining their security settings.  Specifically, I have accounts that I need to allow user1 to 'Send As' (via Exchange 2010).  So, I go into the account with in ADUC and make sure that the 'Include inheritable permissions from the object's parent' is checked.  In this case, it is not, so I check it and hit 'Apply'.  Then, within Exchange EMC, I go into 'Manage Send As Permissions and add the existing user.  All seems fine.  Then, within a matter of minutes, the user no longer has any rights to the mailbox and the 'Include Inheritable...' check box is cleared.  It really acts like someone else has the same account open within AD and is saving changes after I do, thus overwriting them.  I know that is not happening.  But I am wondering if there is something that I should be looking for on my DCs that may suggest a problem  Are there Event Viewer logs or Replmon logs that I need to look at?  I've gone through the logs, but am not finding anything obvious.  I have a native 2008 functionality level.

I appreciate any assistance.

Thanks,

Jeremy
0
Comment
Question by:Jer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40584172
First off you should just need to add the user from the EMC and then let the permissions propegate to Active Directory. Second what type of account can you granting permissions to? Is it a user or group?

Depending on what group/s you are adding it might be removing permisisons based on the Active Directory AdminSDHolder Protected Groups.

Take a look at the article below for more in depth detail.
AdminSDHolder Protected Group

Will.
0
 
LVL 3

Author Comment

by:Jer
ID: 40584794
We're in a transition at the moment.  I agree that everything should be done within EMC, but due to a need to limit access to the actual Exchange Server, we're still using AD and EMC.  In this case, these are all just user accounts.  The accounts were previously existing in an Exchange 2003 environment.  We performed a transition in 2014.  The users that are having their security changed are simply members of Domain Users and nothing else.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40584858
Are any of these users part of any protected groups? Could you add a user with limited group permissions (just domain users) to see if this the AdminsSDHolder is creating the issue?

This is the only thing that really stands out when you stay you set a permission and it gets removed.

Will.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 3

Author Comment

by:Jer
ID: 40633750
Still an issue.  Other projects have interfered.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40633756
Verifying if this is in fact the AdminsSDHolder issue is quite simple. Just make sure that the user you are adding is not part of any protected groups. If it still happens then it is caused by something else in your domain, but this is most likely the cause.

Will.
0
 
LVL 3

Author Comment

by:Jer
ID: 40788159
Still an issue.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40788170
At this point not sure what is going on. It is very clear that it is related to the AdminSDHolder process which is removing the permissions from this group.

Will.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40859146
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question