Joe, One other thing that will be of interest is that if a user/group has ever been a member of a group (even if it's not a member now) that the adminSDholder affects - it will remain affected by the resets until the admincount flag is cleared.
(Props to our astute Mr. Joe Richards for educating many of us [self included] on SDholder.... :o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 06, 2004 1:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wierd issue with security descriptor reverting on replication That looks like it might be the culprit. I need to do a little bit more checking and see if there are any exceptions, but this seems like the most logical explanation and so far it has born out. I think we can fix this as the admins are SUPPOSED to be using special accounts for admin work and most of our applications that require special permissions shouldn't run on these users. Now, if I could figure out how to make my name show up in the from field when mailing to the list from Outlook, I'd be all set :) Thanks! Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, January 05, 2004 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Wierd issue with security descriptor reverting on replication Joe it sounds like you are being bitten by adminSDHolder. Poke around for it (archives for here and the newsgroups and MSKB) you will find considerable info on it now. Basically there is a process that goes through and protects certain accounts (usually admin type accounts like Ent Admins, Dom Admins, Admins, Acc Ops, Serv Ops, etc) by removing the inherit flag and setting the ACL to the ACL of the adminSDHolder object in the system container. Once you "clean up" an ID you should see it reset in about 5-10 minutes. Check to see if you have the admincount attribute populated on these ID's, that is the flag for the process. Any groups that the users are in that have that flag set will force the user to get that flag set as well. joe This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
