yes, the adminSDholder is good for these kind of surprises, but the main reason it exists is that you don't accidentally grand a "downlevel" group/user enough permissions to reset the PW on a highly priviledged account - thus compromising security.
You should definitely go with the "separate admin account" model - this is not just for enterprise or domain admins protected by the adminSDholder, but also for lower level OU or data admins, which could otherwise be compromised as well by a simple helpdesk user who is allowed to reset PW at the specific OU level containing your "lower level" admins... Rgd. your name in the from field when sending eMail: this is less up to you, than your Exchange Admins (unless you are the same guy). Seems like your Exchange folks have configured your SMTP GW servers to remove the Display-Name and only to reveal the eMail address instead. I actually preferr it this way, instead of showing a somewhat obscure Display Name (meant for internal handling of accounts) to the outside world, like we do it... /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Dienstag, 6. Januar 2004 08:13 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wierd issue with security descriptor reverting on replication That looks like it might be the culprit. I need to do a little bit more checking and see if there are any exceptions, but this seems like the most logical explanation and so far it has born out. I think we can fix this as the admins are SUPPOSED to be using special accounts for admin work and most of our applications that require special permissions shouldn't run on these users. Now, if I could figure out how to make my name show up in the from field when mailing to the list from Outlook, I'd be all set :) Thanks! Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, January 05, 2004 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wierd issue with security descriptor reverting on replication Joe it sounds like you are being bitten by adminSDHolder. Poke around for it (archives for here and the newsgroups and MSKB) you will find considerable info on it now. Basically there is a process that goes through and protects certain accounts (usually admin type accounts like Ent Admins, Dom Admins, Admins, Acc Ops, Serv Ops, etc) by removing the inherit flag and setting the ACL to the ACL of the adminSDHolder object in the system container. Once you "clean up" an ID you should see it reset in about 5-10 minutes. Check to see if you have the admincount attribute populated on these ID's, that is the flag for the process. Any groups that the users are in that have that flag set will force the user to get that flag set as well. joe This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
