Jorge --
I was following those threads which unfortunately did not clue me in.
The users that have AdminCount=1 but shouldn't have never been in a
protected group nor are they in a non protected group that is nested in
protected group.
I have even gone so far as to remove all group memberships (besides
Domain Users) for a particular user, force replication, admod the
attribute to 0 and still it resets to 1 after an hour.
Thanks for the reply - i'd appreciate any more feedback you may have.
john
Jorge de Almeida Pinto wrote:
Hi,
This was a thread that was discussed a few days ago. See the following post
from Joe where he explains some things in addition to my own post.
http://www.mail-archive.com/[email protected]/msg29621.html
HINTS:
* nested groups -> is that user a member of a non-default-protected-group
and where that non-default-protected-group IS a member of a protected group.
* were those users somehow members of protected groups in the past? If they
were and now are not the admincount will not be reset to 0
Is this an answer to your issue?
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: 6/10/2005 8:35 PM
Subject: [ActiveDir] troubleshooting object permission inheritance
Greetings --
Using adfind to identify users who have the AdminCount attribute set to
1.
Looking at the output there are users who are expected to have that set
seeing that they are Domain Admins BUT i also see a handful of users who
are not members of a protected group.
Using admod to set AdminCount=0 for those users temporarily sets it
until the PDC mechanism runs which compares the ACLs and resets it.
If the user isn't in a protected group then what is causing this
behavior? And i guess once i know that i can set AdminCount=0 for them,
permanently?
tia,
john
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
