Inheritable permission are reseted

  • Thread starter Thread starter Ilan
  • Start date Start date
I

Ilan

Hi,

I am trying to solve a problem which is a result of
upgrading the AD with SP4.
One of the fixes in SP4 is described in Q327709.
(results in Unchecked "Allow inheritable permission..."
for some users)
I tryed to Check ("v") the "Allow inheritable
permission..." but as described in Q318180 - every 60 min.
the ACL check is running and this accounts (50 out of 400)
are reseted (Unchecked).

In Q817433 - one method mentions "Use DSacls".
1. How do I use DSacl to view the hole ACL's?
2. How do I use DSacl to repare this problem?
3. If a script should be used please give in details.

Thanks,
Ilan
 
I think you need to read the article closer. You probably aren't setting the allow inherit in the right place. Note
though that setting that is a huge security hole if you do user delegation to non-full admins as you make it so it is
possible to make a mistake and move a domain admin ID into an OU that is controlled by a non-domain admin and let them
gain control over the domain admin ID.

When you say you have 50 out of 400 accounts this is happening to it means that you have 40 high power accounts on your
domain which seems excessive. For comparison across my domains I have some 250,000 userids and only 10 of them have the
group memberships that make it so adminSdHolder is involved in resetting perms on.
 
Back
Top