not a strange question ... i looked into that when i first started the
troubleshooting process .... Domain Users is a member of the Builtin
Users group which is not a protected group in my environment.
Just so i have it straight:
If a user is a member of a protected group it's AdminCount attribute
will be 1. If said user is removed from that group it's AdminCount
attribute will remain 1 until it is changed. Once it is removed from
the protected group and the attribute changed to 0 it should remain at 0
- yes?
Back to my problem - user is not a member of a protected group and i
can't change the AdminCount to 0 w/o it being reset to 1.
thanks so far,
john
Jorge de Almeida Pinto wrote:
John,
OK, the users you are talking about are non-default-admin-users and are not
members of protected groups and never have been.
Mayba a strange question.. which groups is the domain users group a member
of?
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
To: '[email protected] '
Sent: 6/10/2005 10:10 PM
Subject: Re: [ActiveDir] troubleshooting object permission inheritance
Jorge --
I was following those threads which unfortunately did not clue me in.
The users that have AdminCount=1 but shouldn't have never been in a
protected group nor are they in a non protected group that is nested in
protected group.
I have even gone so far as to remove all group memberships (besides
Domain Users) for a particular user, force replication, admod the
attribute to 0 and still it resets to 1 after an hour.
Thanks for the reply - i'd appreciate any more feedback you may have.
john
Jorge de Almeida Pinto wrote:
Hi,
This was a thread that was discussed a few days ago. See the following
post
from Joe where he explains some things in addition to my own post.
http://www.mail-archive.com/[email protected]/msg29621.html
HINTS:
* nested groups -> is that user a member of a
non-default-protected-group
and where that non-default-protected-group IS a member of a protected
group.
* were those users somehow members of protected groups in the past? If
they
were and now are not the admincount will not be reset to 0
Is this an answer to your issue?
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: 6/10/2005 8:35 PM
Subject: [ActiveDir] troubleshooting object permission inheritance
Greetings --
Using adfind to identify users who have the AdminCount attribute set
to
1.
Looking at the output there are users who are expected to have that
set
seeing that they are Domain Admins BUT i also see a handful of users
who
are not members of a protected group.
Using admod to set AdminCount=0 for those users temporarily sets it
until the PDC mechanism runs which compares the ACLs and resets it.
If the user isn't in a protected group then what is causing this
behavior? And i guess once i know that i can set AdminCount=0 for
them,
permanently?
tia,
john
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
