Accounts keep disabling inheretance

I have an OU in AD with around 10 users in it.

Inheretance should be enabled on all users. There are 4 users who the inheretance keeps being disabled on after roughly an hour or 2.

Is there anything that could be causing this? I cant see any GP's or anything else. Running on 2012 r2 DC

I have also tried to set the permissions that i need applied by inheretance on 1 account manually and when inheretance is disabled the permissions i assigned are removed.

Any help is appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Because you have stated that this is happening every Hour tells me it is likely to be the AdminSDHolder Service that is running and removing protected groups from these accounts. Take a look at the below article as it provides more details on the AdminSDHolder Service that runs hourly in the backgroup of Active Directory.

CaptainGibletsAuthor Commented:
Hour was just a rough guess, it could be 30 minutes or maybe even less. It seems to be random.

Reading through what you posted.

the people that this applys to are members of either the account operator group or administrator (not my choice its set up like that) So I guess that is whats causing the permissions to be reset?
Will SzymkowskiSenior Solution ArchitectCommented:
That is correct. When you are using built-in groups these they have special permissions which grants permissions on all machines based on the group you have added them to.

These are protected groups and i would personally stay way from using them. Create your own groups and assign them permissions based on access and you will avoid this issue.

CaptainGibletsAuthor Commented:
This is the plan eventually however this is causing a few issues at the minute. If I add permissions to the AdminSDHolder do those permissions then get applied when it removes inheritance from the other accounts?
Will SzymkowskiSenior Solution ArchitectCommented:
The AdminSDHolder is mearly a system object that runs every hour. It checks the ACL's against the Protected Groups and if there is descripencies it removes the memberships and resets the permissions.

See the link below and check out Method 2 as a work-a-round.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.