Help on windows user object security

[Guest]

I hope somebody can help me with this. Our company is running windows 2000
server SP4 and we have organized our users into different OUs. The problem is
that under IT OU and management OU some users object (not all) did not
inherit the built in Security Group like the Account operators and when I
check the user properties > security. The allow inheritable permission from
parent is not selected. I checked/selected this one and it will only work for
minute or more then it will misteriously reset back from being unselected.

Tried delagating control to IT SG who is also belong in that OU but to no
avail. I also remoed the allow inheritable permission in OU to prevent it
from inheriting conflicting policy but to no avail. Also checked GPO and
there were no GPO applied.
even edit the Account operator properties and changed it to Apply to this
object and all child object, also to no avail.

Thanks in advance
bendzi

 

[Guest]

This is by design.

Members of protected groups such as Account Operators, Domain Admins,
Enterprise Admins, etc. fall under the adminsdholder thread which runs every
hour on the PDC.

This process sets the admincount to 1 on all users that are a member
directly or transitevly of a builtin protected group. It also resets each
users permissions to match the permissions on the container
CN=AdminSDHolder,CN=System,DC=Domain,DC=local

It is possibly to modify the permissions which this process sets by changing
the permissions on this container or change what the adminsdholder considers
to be a protected group. You can find all this information in the article
http://support.microsoft.com/kb/817433/en-us : Delegated permissions are not
available and inheritance is automatically disabled.

Brian Delaney