AD User & Inherited Permissions

[Jim]

I have a Domain Admin User object that is behaving strangely. It is located
in the root of the domain object. When I go into the security tab and then
select the advanced button, I notice the the inherited permission check box
is not selected. So I selected it and clicked Apply and OK. A Couple hours
latter the box is unchecked. I then manually checked the box on all of our
DC's within about 2 minutes time. Within an hour or two the box was
unchecked again. I need this Domain Admin to receive the Inherited
permissions. Where do I go from here?

Jim

 

[Brian Desmond [MVP]]

Well the long and short of it is that your DA account won't get the
inherited permissions.

There is a process which updates the security descriptor on any account
which is in one of the builtin admin groups every hour or so with a default
security descriptor.

What is the scenario that you have that requires these delegations remain?

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com

 

[Jim]

Brian,

We have added a mobile phone application and the Service Account needs to
had "Send As" rights to my user or I wont be able to send an email from my
mobile device.

I have even added the service account manually but it will be removed by the
same process that unchecks the inheritance box.

Jim

 

[Jorge de Almeida Pinto [MVP - DS]]

have a look at the following:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Jim]

Thanks Jeorge,

There is a lot to digest here. I will look into it.

Jim


"Jorge de Almeida Pinto [MVP - DS]"

 

[Brian Desmond [MVP]]

Ah. So, this is bad.

You should not be using your normal user account for administrative stuff.

Make yourself an account like $jim and put it in the admin groups. Take your
personal account out, clear the admincount attribute (set it to 0), and set
permissions to inherit.

Do everything you need to do with a runas command prompt and you'll be in
much better health from a security point of view.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com

 

[Jim]

Of course you are right. It is one of those things I keep meaning to do but
never actually do. It is the best thing for security though and I am
committed to make it happen this quarter.

One interesting note. I got a divine idea yesterday that I tried and it
worked. I added the service account as a Delegate in Outlook with full
rights to my inbox. After I did that I was able to send from my mobile
device.

Thanks for your help,

Jim

 

[Jim]

I got a divine idea yesterday that I tried and it worked. I added the
service account as a Delegate in Outlook with full rights to my inbox. After
I did that I was able to send from my mobile device.

Thanks for your help,

Jim


"Jorge de Almeida Pinto [MVP - DS]"