Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations
Active Directory Security Group has permissions but group member does not
Hi all,
I'm fairly new to Active Directory Administration so I apologise if I'm missing something fundamental.
I have written a program in VB.Net which takes an image from an email, converts it into a Byte String, and puts it in to the sending user's ThumbnailPhoto attribute in Active Directory. I know that the program works when I run it as a console application, but does not run as a service when I specify LDAP credentials.
I have created a user in Active Directory which is how I am authenticating the DirectorySearcher and DirectoryEntry LDAP requests in my program. This user is a member of the Universal Security Group PhotoEditors.
I have successfully Delegated Access to this security group to be able to Read and Write the ThumbnailPhoto attribute within our Users Organisational Unit. This has successfully applied to our users and sub-objects within that OU. Images below.
However, at some point in the past inheritance has been disabled on some of our user accounts. I manually added the group to the 10 or so users that had inheritance disabled.
About an hour later I noticed that this group no longer had Security permissions on the users that had inheritance disabled. After some research I came across AdminSDHolder which appeared to be removing the security group. I then added the security group PhotoEditors to the AdminSDHolder entry and gave it Read and Write permissions to the ThumbnailPhoto attribute. This fixed the issue and now the PhotoEditors group has the correct permissions listed in the Security tab across all users. The image below shows a user that has inheritance disabled which also has the permission applied correctly by AdminSDHolder (since I did not add this permission manually).
This so far is working as I understand. The problem I am now encountering is when I go to Advanced Security properties on a user that is affected by AdminSDHolder, I can see the PhotoEditors group is there and has the correct permissions, but the user who is a member of that PhotoEditors group does not have the Write ThumbnailPhoto permission. I checked this under Properties - Security - Advanced - Effective Permissions, and entered the name of the user who is in the PhotoEditors group. Screenshot below.
The "My Photo" user is the only member of the Security Group PhotoEditors. It is my understanding that you create a security group, assign the required permissions to that security group, then add the users to the security group that you want to have that permission. But there appears to be something overriding the permissions that the user has, even though the group it's a member of has permissions.
I would be very grateful if anyone can shed any light on this, as it's been plaguing me in one form or another for the past week.
Many thanks :)
I'm fairly new to Active Directory Administration so I apologise if I'm missing something fundamental.
I have written a program in VB.Net which takes an image from an email, converts it into a Byte String, and puts it in to the sending user's ThumbnailPhoto attribute in Active Directory. I know that the program works when I run it as a console application, but does not run as a service when I specify LDAP credentials.
I have created a user in Active Directory which is how I am authenticating the DirectorySearcher and DirectoryEntry LDAP requests in my program. This user is a member of the Universal Security Group PhotoEditors.
I have successfully Delegated Access to this security group to be able to Read and Write the ThumbnailPhoto attribute within our Users Organisational Unit. This has successfully applied to our users and sub-objects within that OU. Images below.
However, at some point in the past inheritance has been disabled on some of our user accounts. I manually added the group to the 10 or so users that had inheritance disabled.
About an hour later I noticed that this group no longer had Security permissions on the users that had inheritance disabled. After some research I came across AdminSDHolder which appeared to be removing the security group. I then added the security group PhotoEditors to the AdminSDHolder entry and gave it Read and Write permissions to the ThumbnailPhoto attribute. This fixed the issue and now the PhotoEditors group has the correct permissions listed in the Security tab across all users. The image below shows a user that has inheritance disabled which also has the permission applied correctly by AdminSDHolder (since I did not add this permission manually).
This so far is working as I understand. The problem I am now encountering is when I go to Advanced Security properties on a user that is affected by AdminSDHolder, I can see the PhotoEditors group is there and has the correct permissions, but the user who is a member of that PhotoEditors group does not have the Write ThumbnailPhoto permission. I checked this under Properties - Security - Advanced - Effective Permissions, and entered the name of the user who is in the PhotoEditors group. Screenshot below.
The "My Photo" user is the only member of the Security Group PhotoEditors. It is my understanding that you create a security group, assign the required permissions to that security group, then add the users to the security group that you want to have that permission. But there appears to be something overriding the permissions that the user has, even though the group it's a member of has permissions.
I would be very grateful if anyone can shed any light on this, as it's been plaguing me in one form or another for the past week.
Many thanks :)
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
LVL 71
Your images show the right being applied to child user objects. Is the right on AdminSDHolder similarly configured? if so, it needs to apply to the current object, the ACL is copied from AdminSDHolder by the propagator, not applied as if objects were children.
Hi Chris,
Thanks for your quick reply.
I'm running Windows Server 2008 R2 Standard, and the permission entry is below:
Sorry for the stupid question but where would I apply this permission to the current object?
Thanks for your quick reply.
I'm running Windows Server 2008 R2 Standard, and the permission entry is below:
Sorry for the stupid question but where would I apply this permission to the current object?
Change the "apply to" drop down to include (or only be) the current object. At the moment it cannot apply because that right set on a user object will not apply to the user object. That works just fine in the context where you apply the right to an OU (to affect descendant objects).
Hi Chris,
When I change the "Apply to:" drop down to be "This object only", I cannot find the Write ThumbnailPhoto entry listed. Is there something that I am missing?
Many thanks,
David
When I change the "Apply to:" drop down to be "This object only", I cannot find the Write ThumbnailPhoto entry listed. Is there something that I am missing?
Many thanks,
David
That's annoying, is there an object that applies to this object and descendants?
It may be possible to set the permission properly outside of the GUI, it's limiting the choices because of the current object type (SDAdminHolder isn't a user).
Otherwise, see if there's anything in the Object tab that'll let you expand the selection. I'm afraid I haven't got an AD domain here to give you really clear directions.
It may be possible to set the permission properly outside of the GUI, it's limiting the choices because of the current object type (SDAdminHolder isn't a user).
Otherwise, see if there's anything in the Object tab that'll let you expand the selection. I'm afraid I haven't got an AD domain here to give you really clear directions.
Hi Chris,
I couldn't see anything in the Objects tab that did what I need - in there is all of the Create objects permissions from what I could tell.
I used DSACLS and ran the following command:
which seemed to apply the PhotoEditors group Read and Write thumbnailPhoto attribute permissions to This object only (image below).
I will check this later today to see if it has applied across the domain correctly. Many thanks for all of your help Chris :)
I couldn't see anything in the Objects tab that did what I need - in there is all of the Create objects permissions from what I could tell.
I used DSACLS and ran the following command:
dsacls "CN=AdminSDHolder,CN=System,DC=DOMAIN" /G FGDOM1\PhotoEditors:RPWP;thumbnailPhoto
which seemed to apply the PhotoEditors group Read and Write thumbnailPhoto attribute permissions to This object only (image below).
I will check this later today to see if it has applied across the domain correctly. Many thanks for all of your help Chris :)
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Command has granted correct permissions. As Chris pointed out, it needed to be done from the command-line (i.e. not the GUI), and the permission needed to be set as if it were being applied to the user.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
LDAP
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.