AD does changes undone after a while

  • Thread starter Thread starter Mikael Oskarsson
  • Start date Start date
M

Mikael Oskarsson

Hello

We have a strange thing going on in my customers AD.

We have one OU=LTK , in this OU i have 7000 account and 1000 groups that has
been migrated from NT 4 with ADMT v2.
If we take properties on the OU=LTK and goes to Security, and under Name ,
add a group called "LTK Admins" with read and write permissions and click
OK.
This group stays here for some times lets say 1-4 weeks but it's dissapear
after a while.

Same things happens with checkbox "Allow inheritable permission..." on the
same object, it's dissapear after a while.

The customer has not used "Delegate Control", I wonder if that is better, to
do the same thing?

Another thing is that one account that is "Account Operator" can't manage
another account that is "Account Operator"

Any ideers?
 
Hi Mikael-
It sounds like you may be encountering AdminSDHolder behavior.

817433 Delegated Permissions Are Not Available and Inheritance Is
Automatically
http://support.microsoft.com/?id=817433

Here's the relevant excerpt from that article:

When you delegate permissions using the Delegation of Control
wizard, these permissions rely on the user object that inherits the
permissions from the parent
container. Members of protected groups do not inherit permissions from
the
parent container. As a result, if you set permissions using the
Delegation of Control
wizard, these permissions are not applied to members of protected
groups.

Note Membership in a protected group is defined as either direct
membership or transitive membership using one or more security or
distribution
groups. Distribution groups are included because they can be converted
to
security groups.

In Windows Server 2003, the number of groups that are protected has
been increased to enhance security in Active Directory (see the "More
Information" section of this article for details). The number of groups
that are protected also increases if you apply the 327825 hotfix to Windows
2000.
***********************
If this does not apply in your situation, please repost.
 
Interesting info.

It is groups/users that is members of Server Operators
and Account Operators that has problems.

How can I verify if I have yhis error and must I call
Microsoft to get this fix.

Regards
 
The fix which gives this behavior is included in W2K SP4. If your servers
are Service Pack 4 then this is likely your issue.

To test whether it is applicable or not, remove the affected users from
having membership in those protected groups (i.e. Server Operators and
Account Operators). Then see if the problem recurs where specific
permissions or delegations you've intentionally set are lost (removed).

Please repost if you need assistance.
 
Back
Top