If a user is only in Domain Users (obviously the primary group for the user) and when I mean only I mean not in any other security OR distribution groups and the domain users group is not nested into any groups other than BUILTIN\Users. Then you clear admincount and reset the protection on the user account. And then it STILL gets tapped and reset to protected and admincount is set to 1 I would call MS, you may have found a nice bug as that isn't how it is supposed to work.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Friday, June 10, 2005 4:55 PM To: [email protected] Subject: Re: [ActiveDir] troubleshooting object permission inheritance not a strange question ... i looked into that when i first started the troubleshooting process .... Domain Users is a member of the Builtin Users group which is not a protected group in my environment. Just so i have it straight: If a user is a member of a protected group it's AdminCount attribute will be 1. If said user is removed from that group it's AdminCount attribute will remain 1 until it is changed. Once it is removed from the protected group and the attribute changed to 0 it should remain at 0 - yes? Back to my problem - user is not a member of a protected group and i can't change the AdminCount to 0 w/o it being reset to 1. thanks so far, john Jorge de Almeida Pinto wrote: > John, > > OK, the users you are talking about are non-default-admin-users and > are not members of protected groups and never have been. > > Mayba a strange question.. which groups is the domain users group a > member of? > > #JORGE# > > -----Original Message----- > From: [EMAIL PROTECTED] > To: '[email protected] ' > Sent: 6/10/2005 10:10 PM > Subject: Re: [ActiveDir] troubleshooting object permission inheritance > > Jorge -- > > I was following those threads which unfortunately did not clue me in. > The users that have AdminCount=1 but shouldn't have never been in a > protected group nor are they in a non protected group that is nested > in protected group. > > I have even gone so far as to remove all group memberships (besides > Domain Users) for a particular user, force replication, admod the > attribute to 0 and still it resets to 1 after an hour. > > Thanks for the reply - i'd appreciate any more feedback you may have. > > john > > Jorge de Almeida Pinto wrote: > >>Hi, >> >>This was a thread that was discussed a few days ago. See the following > > post > >>from Joe where he explains some things in addition to my own post. >>http://www.mail-archive.com/[email protected]/msg29621.html >> >>HINTS: >>* nested groups -> is that user a member of a > > non-default-protected-group > >>and where that non-default-protected-group IS a member of a protected > > group. > >>* were those users somehow members of protected groups in the past? If > > they > >>were and now are not the admincount will not be reset to 0 >> >>Is this an answer to your issue? >> >>#JORGE# >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>To: [email protected] >>Sent: 6/10/2005 8:35 PM >>Subject: [ActiveDir] troubleshooting object permission inheritance >> >>Greetings -- >> >>Using adfind to identify users who have the AdminCount attribute set > > to > >>1. >> >>Looking at the output there are users who are expected to have that > > set > >>seeing that they are Domain Admins BUT i also see a handful of users > > who > >>are not members of a protected group. >> >>Using admod to set AdminCount=0 for those users temporarily sets it >>until the PDC mechanism runs which compares the ACLs and resets it. >> >>If the user isn't in a protected group then what is causing this >>behavior? And i guess once i know that i can set AdminCount=0 for > > them, > >>permanently? >> >>tia, >> >>john >>List info : http://www.activedir.org/List.aspx >>List FAQ : http://www.activedir.org/ListFAQ.aspx >>List archive: >>http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> >>This e-mail and any attachment is for authorised use by the intended > > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
