Permissions not applied to every user

[Joseph Carew]

Hi

I have run the delegate wizard on our domain to give our helpdesk users
the necessary rights to create/delete/modify the users and groups
within the domain.

Since I ran the wizard a couple of days ago I noticed that the helpdesk
cannot change certain users, these are random users in different OU's,
I noticed something else on the users they cannot administer, they
don't have the same security permissions applied to them, they look
like what could be default permissions. Below I have listed the groups
on a user they can administer and ones on which they can't.

User they can administer User they cannot administer

Account Operators Administrators
Administrators Authenticated Users
Authenticated Users Domain Admins
Domain Admins Enterprise Admins
Enterprise Admins Everyone
Everyone Exchange Enterprise Servers
Exchange Enterprise Servers Pre Windows 2000
Pre Windows 2000 SYSTEM
SELF
SYSTEM
Workstations Admins (Group I added in DWizard)

As you can see they are missing Account Operators, SELF and Workstation
Admins, is there a reason why I have random users with the incorrect
permissions filtering down.

If I go into the affected users and go into advanced security
permissions and click default, it resets to defaults.

Can anyone explain why this has happened and the best way of setting
all back to default without affecting any special permissions applied.

TIA
--

 

[Joe Richards [MVP]]

Google for adminsdholder.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Jorge de Almeida Pinto [MVP]]

Every hour, the Microsoft Windows domain controller that has the primary
domain controller (PDC) emulator operations master role verifies the ACLs on
members of these administrative groups and compares them to the ACL on the
AdminSDHolder object. If the ACL that is on the AdminSDHolder object is
different, the ACLs on the members of the administrative group are reset to
match the ACL on the AdminSDHolder object.

For more info on the ADMINSDHOLDER object see the following related KB
articles (not all may apply to your situation!)

Description and Update of the Active Directory AdminSDHolder Object
--> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
--> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
Delegated permissions are not available and inheritance is automatically
disabled
--> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
AdminSDHolder Object Affects Delegation of Control for Past Administrator
Accounts
--> MS-KBQ306398 (http://support.microsoft.com/?id=306398)
Security tab of the adminSDHolder object does not display all properties
--> MS-KBQ301188 (http://support.microsoft.com/?id=301188)
"You do not have sufficient permissions in the Domain" error message occurs
and Exchange Setup does not respond
--> MS-KBQ319966 (http://support.microsoft.com/?id=319966)
Certification Authority configuration to publish certificates in Active
Directory of trusted domain
--> MS-KBQ281271 (http://support.microsoft.com/?id=281271)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Joseph Carew]

Hi

I have run the delegate wizard on our domain to give our helpdesk
users the necessary rights to create/delete/modify the users and
groups within the domain.

Since I ran the wizard a couple of days ago I noticed that the
helpdesk cannot change certain users, these are random users in
different OU's, I noticed something else on the users they cannot
administer, they don't have the same security permissions applied to
them, they look like what could be default permissions. Below I have
listed the groups on a user they can administer and ones on which
they can't.

User they can administer User they cannot administer

Account Operators Administrators
Administrators Authenticated Users
Authenticated Users Domain Admins
Domain Admins Enterprise Admins
Enterprise Admins Everyone
Everyone Exchange Enterprise Servers
Exchange Enterprise Servers Pre Windows 2000
Pre Windows 2000 SYSTEM
SELF
SYSTEM
Workstations Admins (Group I added in DWizard)

As you can see they are missing Account Operators, SELF and
Workstation Admins, is there a reason why I have random users with
the incorrect permissions filtering down.

If I go into the affected users and go into advanced security
permissions and click default, it resets to defaults.

Can anyone explain why this has happened and the best way of setting
all back to default without affecting any special permissions applied.

TIA

Thanks a lot guys, you've given a lot to read, I'll get cracking now

--

 

[Joseph Carew]

Hi Jorge

Can I confirm I understand this correctly, what I think happened in the
past before my time (I must add).

Certain users were added to certain groups to give them priveleges
within AD and then removed. These seem to be the users affected that
my helpdesk cannot administer. So, if I change the security
permissions on the Adminsdholder object to include my Workstation
Admins group with the necessary rights to do their jobs, then this will
change the security on the users they cannot Administer. I am a little
worried that when it overwrites the ACL of a user they cannot
administer with that of the Adminsdholder object, that it will delete
any explicit rights given to say the persons secretary to their
mailboxes.

I hope this makes sense

TIA

Every hour, the Microsoft Windows domain controller that has the
primary domain controller (PDC) emulator operations master role
verifies the ACLs on members of these administrative groups and
compares them to the ACL on the AdminSDHolder object. If the ACL that
is on the AdminSDHolder object is different, the ACLs on the members
of the administrative group are reset to match the ACL on the
AdminSDHolder object.

For more info on the ADMINSDHOLDER object see the following related
KB articles (not all may apply to your situation!)

Description and Update of the Active Directory AdminSDHolder Object
--> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
AdminSDHolder Thread Affects Transitive Members of Distribution Groups
--> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
Delegated permissions are not available and inheritance is
automatically disabled --> MS-KBQ817433
(http://support.microsoft.com/?id=817433) AdminSDHolder Object
Affects Delegation of Control for Past Administrator Accounts -->
MS-KBQ306398 (http://support.microsoft.com/?id=306398) Security tab
of the adminSDHolder object does not display all properties -->
MS-KBQ301188 (http://support.microsoft.com/?id=301188) "You do not
have sufficient permissions in the Domain" error message occurs and
Exchange Setup does not respond --> MS-KBQ319966
(http://support.microsoft.com/?id=319966) Certification Authority
configuration to publish certificates in Active Directory of trusted
domain --> MS-KBQ281271 (http://support.microsoft.com/?id=281271)

--