From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Friday, February 27, 2004 1:00 PM
To: [EMAIL PROTECTED]
Subject: RE: (Joe Read This) [ActiveDir] AD Protected groups
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe
Sent: Friday, February 13, 2004 12:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Protected groupsDefine manage.What specifically do they need to do to the DCs? How many DCs do you have?I'm curious. I have just under 400 domain controllers with 2 guys doing full time admin work from one place in the world (with me getting sucked into silly design meetings with people who can't spell Windows) and we don't let anyone else log into our DCs. I'm just wondering if we are doing amazing things or we just aren't doing the job right.If we are doing amazing things I will be that much closer to writing the book Robbie keeps kicking me about. :oPI'm being serious about wanting to understand.thanks, joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kaluza, Mike
Sent: Thursday, February 12, 2004 8:47 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD Protected groupsHas anyone got an answer to the Protected Groups inheritance problem
Our Windows 2000 servers are running service pack 4. Which as I understand means that the Server Operators group has now become a Protected Group. We have Site Administrators who are members of the Server Operators group because they need to manage the DC in there site.
Problem is they have no control over there site admin account. If you delegate permissions to them or a group the account belongs to these permissions are removed within the hour due to the SD Propagator thread running and removing the permissions based on ADminSDHolder.
I thought I found an answer to the problem. Which suggests changing the value of adminCount on the effect groups and user accounts. I understand that the SD Propagator thread checks the value of adminCount and if set to 1 removes any inherited permissions.
I tried this and it did not work.
Does anyone know if this method does work or is there an alternative. We don't want ADminSDHolder to inherit permissions - MS don't recommend this. We just want Server Operators to inherit permissions (directly or indirectly).
Regards Mike
"This transmission is strictly confidential and intended solely for the addressee. It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, you must not disclose, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify us as soon as possible."
