User account attributes greyed out

[Mark Knijnenburg]

A client of mine has upgraded their domain from NT4 to
2000. Accounts that were present in the domain before the
upgrade can be administered by Domain Admin accounts that
were also present before the upgrade, but newly created
Domain Admin accounts cannot change these older accounts
at all (all attributes greyed out). However, newly
created domain admin accounts can administer newly
created user accounts, all attributes can be modified.
Anyone seen this?

 

[Joe Richards [MVP]]

Verify the actual ACLs on the objects.

joe

 

[Mark Knijnenburg]

ACLs correct - Domain Admins Full Control. ACLs are
identical between older accounts (pre-upgrade) and newly
created accounts.

Mark

 

[Joe Richards [MVP]]

Run the following command against an old account and a new account, let me know
if there is a delta in the output


adfind -default -f samaccountname=username allowedAttributesEffective


You can get adfind on my website, www.joeware.net

joe