Former Domain Admins losing inheritance

[Steve]

I have a problem with users who once belonged to the
Domain Admins group losing its security settings. For
some reason, the security for these users cannot be
modified. I mean, when I change the security for these
users it is reset to what it had before I changed it.
Also, the allow inheritable permissions from parent to
propogate to this object is deselected within an hour or
so after I check the box. Is this a known issue?

 

[Joe Richards [MVP]]

There is a thing called adminsdholder. It is a special set of ace's set on admin accounts. The system constantly goes
through looking for these accounts and will reset their acl to match the adminsdholder acl. This happens with admin
accounts on W2K up to a certain hot fix which I don't know off the top of my head and at that point account operators
and others get added to the mix.

If the userid's aren't in any of those enhanced built in groups anymore, take a look at admincount property on the user
accounts, it is probably set to 1, clear this and set to 0 with a script or adsiedit.msc and that should correct your
problem.

 

[Steve]

Thanks for the reply. I have tried to reset this to 0 but it is changed
back to 1 after about an hour. Maybe, I do need the hot fix from Microsoft.

Steve

There is a thing called adminsdholder. It is a special set of ace's set on

admin accounts. The system constantly goes

through looking for these accounts and will reset their acl to match the

adminsdholder acl. This happens with admin

accounts on W2K up to a certain hot fix which I don't know off the top of

my head and at that point account operators

and others get added to the mix.

If the userid's aren't in any of those enhanced built in groups anymore,

take a look at admincount property on the user

accounts, it is probably set to 1, clear this and set to 0 with a script

or adsiedit.msc and that should correct your