[ActiveDir] Security permissions on user object

[Rimmerman, Russ]

We migrated all our users from an NT4 domain to our AD domain.  Anyone who was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins" on our AD domain.  We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits.   Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated "Domain Admins" who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does.  If I open their account and go to the object security the "Inherit from parent the permission entries that apply to child objects.  Include these with entries explicity defined here." box is not checked like every other user.  If I check the box, others are temporarily able to modify that former domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again.   I know that I once read that this is by design, but how the heck do I fix these users once and for all?  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~