DCs do not update user security changes

  • Thread starter Thread starter Megan Horner
  • Start date Start date
M

Megan Horner

When I select the checkbox "allow inheritable permissions
from parent to propogate to this object" on any user, 5-10
minutes later it will be unchecked again. I've tried
changing it on one DC then the other then both at the same
time but it doesn't seem to matter. I used DCDiag &
NetDiag and everything passed on both DCs. I can Ping the
FQDN and GUID of each DC from the other, so I believe DNS
is working properly. Does anyone have any ideas on what
could be the problem? Any help or suggestions would be
greatly appreciated.

Thanks a lot!

Megan
 
You are probably seeing the effect of AdminSDHolder object protecting AD
objects members of specific built in groups. Basically this means, that the
server, which holds PDC role checks every hour the ACL entries on those
objects and resets them according to the settings of AdminSDHolder object.
Those users of yours are members of which groups ?
See
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q232199
for more info

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
Matjaz,

Thanks a lot for the links!

Unfortunately, many of the users in question are not
members of any of the groups specified in that article.
That would've made sense, otherwise. I've tried comparing
users that I can change with users that the changes do not
stay and cannot find any obvious differences. I am almost
to the point of calling microsoft on this one (this is
affecting about 200 of the 600 users). Any other ideas?

Thanks!

Megan
 
Were they at any point in those groups? Are they in any groups that are in turn nested in any of the specified groups?
 
Joe,

Thanks for your response. No to both questions. I've
checked the users to compare groups they are in currently
and there doesn't seem to be any "common" group(s). I am
stumped at this point. Any other ideas?

Thanks a lot!

Megan
-----Original Message-----
Were they at any point in those groups? Are they in any
Click to expand...
groups that are in turn nested in any of the specified
groups?
 
Back
Top