Hello ;-) I had a strange issue yesterday.
An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator "do his job", and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option d�e to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
