C
carlrimmel
Got an interesting problem. We are running Windows 2003 SP1 active
directory. I am trying to add a specific "Deny" permission to the
Built-In Administrators group that would deny the ability for a member
of the group to be able to actually change the membership of the
Administrator group. (I know, I know... why is it a member of this
group if you don't want it to have the permissions - well, it is a
service account utilized by a lousy piece of software that needs to be
included in this group)
Regardless, here is what I have found. If I add a Deny to the
Administrators group for "Write Members" and "Apply Onto" "This Object
Only", then it works fine. But, since the AdminSDHolder reverts it
back every hour, I need to make the change on the AdminSDHolder. So, I
try to add a Deny on the AdminSDHolder for "Write Members" and "Apply
onto" "Group Objects" (because "This Object Only" doesn't list "Write
Members" on the AdminSDHolder object) then it doesn't work. Applying
it directly to the Administrators group using "Group Objects" doesn't
work either.
Is the Built-In Administrator group referred to as something other than
a "Group Object" within AD? This is the only reason I can see that
this would not work properly.
Any help would be appreciated.
Thanks
Carl
directory. I am trying to add a specific "Deny" permission to the
Built-In Administrators group that would deny the ability for a member
of the group to be able to actually change the membership of the
Administrator group. (I know, I know... why is it a member of this
group if you don't want it to have the permissions - well, it is a
service account utilized by a lousy piece of software that needs to be
included in this group)
Regardless, here is what I have found. If I add a Deny to the
Administrators group for "Write Members" and "Apply Onto" "This Object
Only", then it works fine. But, since the AdminSDHolder reverts it
back every hour, I need to make the change on the AdminSDHolder. So, I
try to add a Deny on the AdminSDHolder for "Write Members" and "Apply
onto" "Group Objects" (because "This Object Only" doesn't list "Write
Members" on the AdminSDHolder object) then it doesn't work. Applying
it directly to the Administrators group using "Group Objects" doesn't
work either.
Is the Built-In Administrator group referred to as something other than
a "Group Object" within AD? This is the only reason I can see that
this would not work properly.
Any help would be appreciated.
Thanks
Carl