|
Well…I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so…other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the ‘protected groups’ would be astounding. You shouldn’t have a problem trusting the fact that it will happen to the accounts still in the “protected groups” since that’s what got you there in the first place J
Hopefully that was helpful…have a great night!
Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center
From: Rimmerman, Russ
[mailto:[EMAIL PROTECTED]
OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see "Administrator" in there, so that _vbscript_ in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me.
From:
[EMAIL PROTECTED] on behalf of Robert Williams (RRE) Also keep in mind that if you were ever a member of one of these ‘protected groups’ that your inheritance will not be “turned on” again, nor will the admincount attribute be reset to 0….so you can change those back when you know the user isn’t a member of one of the ‘protected groups’ (changing those values before ensuring this will result in the values being reset…as you are well aware by this point). AdminCount is just a ‘book keeping’ method to know that the ACL has been stamped by AdminSDHolder.
I hope that helps.
Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction.
http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ We migrated all our users from an NT4 domain to our AD domain. Anyone who was in "Domain Admins" on our NT4 domain got migrated into "Domain Admins" on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits.
Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated "Domain Admins" who are no longer Domain Admins, they are denied access.
I know that I once read that this is by design, but how the heck do I fix these users once and for all?
|
- RE: [ActiveDir] Security permissions on user objec... Robert Williams \(RRE\)
- RE: [ActiveDir] Security permissions on user ... Rimmerman, Russ
- RE: [ActiveDir] Security permissions on u... Rick Kingslan
- RE: [ActiveDir] Security permissions on user ... Robert Williams \(RRE\)
- RE: [ActiveDir] Security permissions on user ... Jorge de Almeida Pinto
- RE: [ActiveDir] Security permissions on user ... Rimmerman, Russ
- RE: [ActiveDir] Security permissions on user ... Rimmerman, Russ
- RE: [ActiveDir] Security permissions on user ... Rimmerman, Russ
- RE: [ActiveDir] Security permissions on u... Rick Kingslan
- RE: [ActiveDir] Security permissions on user ... Jorge de Almeida Pinto
- RE: [ActiveDir] Security permissions on user ... Jorge de Almeida Pinto
