thanks joe - that is exactly what i am experiencing. i'll update the list when/if i get a fix/solution.
again many thanks, john Quoting joe <[EMAIL PROTECTED]>: > If a user is only in Domain Users (obviously the primary group for the user) > and when I mean only I mean not in any other security OR distribution groups > and the domain users group is not nested into any groups other than > BUILTIN\Users. Then you clear admincount and reset the protection on the > user account. And then it STILL gets tapped and reset to protected and > admincount is set to 1 I would call MS, you may have found a nice bug as > that isn't how it is supposed to work. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Singler > Sent: Friday, June 10, 2005 4:55 PM > To: [email protected] > Subject: Re: [ActiveDir] troubleshooting object permission inheritance > > not a strange question ... i looked into that when i first started the > troubleshooting process .... Domain Users is a member of the Builtin Users > group which is not a protected group in my environment. > > Just so i have it straight: > > If a user is a member of a protected group it's AdminCount attribute will be > 1. If said user is removed from that group it's AdminCount attribute will > remain 1 until it is changed. Once it is removed from the protected group > and the attribute changed to 0 it should remain at 0 > - yes? > > Back to my problem - user is not a member of a protected group and i can't > change the AdminCount to 0 w/o it being reset to 1. > > thanks so far, > > john > > Jorge de Almeida Pinto wrote: > > John, > > > > OK, the users you are talking about are non-default-admin-users and > > are not members of protected groups and never have been. > > > > Mayba a strange question.. which groups is the domain users group a > > member of? > > > > #JORGE# > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > To: '[email protected] ' > > Sent: 6/10/2005 10:10 PM > > Subject: Re: [ActiveDir] troubleshooting object permission inheritance > > > > Jorge -- > > > > I was following those threads which unfortunately did not clue me in. > > The users that have AdminCount=1 but shouldn't have never been in a > > protected group nor are they in a non protected group that is nested > > in protected group. > > > > I have even gone so far as to remove all group memberships (besides > > Domain Users) for a particular user, force replication, admod the > > attribute to 0 and still it resets to 1 after an hour. > > > > Thanks for the reply - i'd appreciate any more feedback you may have. > > > > john > > > > Jorge de Almeida Pinto wrote: > > > >>Hi, > >> > >>This was a thread that was discussed a few days ago. See the following > > > > post > > > >>from Joe where he explains some things in addition to my own post. > >>http://www.mail-archive.com/[email protected]/msg29621.html > >> > >>HINTS: > >>* nested groups -> is that user a member of a > > > > non-default-protected-group > > > >>and where that non-default-protected-group IS a member of a protected > > > > group. > > > >>* were those users somehow members of protected groups in the past? If > > > > they > > > >>were and now are not the admincount will not be reset to 0 > >> > >>Is this an answer to your issue? > >> > >>#JORGE# > >> > >>-----Original Message----- > >>From: [EMAIL PROTECTED] > >>To: [email protected] > >>Sent: 6/10/2005 8:35 PM > >>Subject: [ActiveDir] troubleshooting object permission inheritance > >> > >>Greetings -- > >> > >>Using adfind to identify users who have the AdminCount attribute set > > > > to > > > >>1. > >> > >>Looking at the output there are users who are expected to have that > > > > set > > > >>seeing that they are Domain Admins BUT i also see a handful of users > > > > who > > > >>are not members of a protected group. > >> > >>Using admod to set AdminCount=0 for those users temporarily sets it > >>until the PDC mechanism runs which compares the ACLs and resets it. > >> > >>If the user isn't in a protected group then what is causing this > >>behavior? And i guess once i know that i can set AdminCount=0 for > > > > them, > > > >>permanently? > >> > >>tia, > >> > >>john > >>List info : http://www.activedir.org/List.aspx > >>List FAQ : http://www.activedir.org/ListFAQ.aspx > >>List archive: > >>http://www.mail-archive.com/activedir%40mail.activedir.org/ > >> > >> > >>This e-mail and any attachment is for authorised use by the intended > > > > recipient(s) only. It may contain proprietary material, confidential > > information and/or be subject to legal privilege. It should not be > > copied, disclosed to, retained or used by, any other party. If you are > > not an intended recipient then please promptly delete this e-mail and > > any attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
