troubleshooting Question

Active Directory Security Group has permissions but group member does not

Avatar of dgloveruk
dgloveruk asked on
* LDAPActive DirectorySecurity
7 Comments2 Solutions125 ViewsLast Modified:
Hi all,

I'm fairly new to Active Directory Administration so I apologise if I'm missing something fundamental.

I have written a program in VB.Net which takes an image from an email, converts it into a Byte String, and puts it in to the sending user's ThumbnailPhoto attribute in Active Directory. I know that the program works when I run it as a console application, but does not run as a service when I specify LDAP credentials.

I have created a user in Active Directory which is how I am authenticating the DirectorySearcher and DirectoryEntry LDAP requests in my program. This user is a member of the Universal Security Group PhotoEditors.

I have successfully Delegated Access to this security group to be able to Read and Write the ThumbnailPhoto attribute within our Users Organisational Unit. This has successfully applied to our users and sub-objects within that OU. Images below.

 Permissions on the O-Users group. PhotoEditors security group has the permissions applied.
 Permissions on one of our accounts which shows inheritance working.
However, at some point in the past inheritance has been disabled on some of our user accounts. I manually added the group to the 10 or so users that had inheritance disabled.

About an hour later I noticed that this group no longer had Security permissions on the users that had inheritance disabled. After some research I came across AdminSDHolder which appeared to be removing the security group. I then added the security group PhotoEditors to the AdminSDHolder entry and gave it Read and Write permissions to the ThumbnailPhoto attribute. This fixed the issue and now the PhotoEditors group has the correct permissions listed in the Security tab across all users. The image below shows a user that has inheritance disabled which also has the permission applied correctly by AdminSDHolder (since I did not add this permission manually).

User account that has the permission applied from AdminSDHolder
This so far is working as I understand. The problem I am now encountering is when I go to Advanced Security properties on a user that is affected by AdminSDHolder, I can see the PhotoEditors group is there and has the correct permissions, but the user who is a member of that PhotoEditors group does not have the Write ThumbnailPhoto permission. I checked this under Properties - Security - Advanced - Effective Permissions, and entered the name of the user who is in the PhotoEditors group. Screenshot below.

Effective Permissions
The "My Photo" user is the only member of the Security Group PhotoEditors. It is my understanding that you create a security group, assign the required permissions to that security group, then add the users to the security group that you want to have that permission. But there appears to be something overriding the permissions that the user has, even though the group it's a member of has permissions.

I would be very grateful if anyone can shed any light on this, as it's been plaguing me in one form or another for the past week.

Many thanks :)

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros