yes, admod'd them to 0 then changed the perms to Default (which turns on inheritance).
Quoting Jorge de Almeida Pinto <[EMAIL PROTECTED]>: > have you also changed the inheritance setting of those accounts? > #JORGE# > > -----Original Message----- > From: [EMAIL PROTECTED] > To: [email protected] > Sent: 6/10/2005 10:54 PM > Subject: Re: [ActiveDir] troubleshooting object permission inheritance > > not a strange question ... i looked into that when i first started the > troubleshooting process .... Domain Users is a member of the Builtin > Users group which is not a protected group in my environment. > > Just so i have it straight: > > If a user is a member of a protected group it's AdminCount attribute > will be 1. If said user is removed from that group it's AdminCount > attribute will remain 1 until it is changed. Once it is removed from > the protected group and the attribute changed to 0 it should remain at 0 > > - yes? > > Back to my problem - user is not a member of a protected group and i > can't change the Admin Count to 0 w/o it being reset to 1. > > thanks so far, > > john > > Jorge de Almeida Pinto wrote: > > John, > > > > OK, the users you are talking about are non-default-admin-users and > are not > > members of protected groups and never have been. > > > > Mayba a strange question.. which groups is the domain users group a > member > > of? > > > > #JORGE# > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > To: '[email protected] ' > > Sent: 6/10/2005 10:10 PM > > Subject: Re: [ActiveDir] troubleshooting object permission inheritance > > > > Jorge -- > > > > I was following those threads which unfortunately did not clue me in. > > The users that have AdminCount=1 but shouldn't have never been in a > > protected group nor are they in a non protected group that is nested > in > > protected group. > > > > I have even gone so far as to remove all group memberships (besides > > Domain Users) for a particular user, force replication, admod the > > attribute to 0 and still it resets to 1 after an hour. > > > > Thanks for the reply - i'd appreciate any more feedback you may have. > > > > john > > > > Jorge de Almeida Pinto wrote: > > > >>Hi, > >> > >>This was a thread that was discussed a few days ago. See the following > > > > post > > > >>from Joe where he explains some things in addition to my own post. > >>http://www.mail-archive.com/[email protected]/msg29621.html > >> > >>HINTS: > >>* nested groups -> is that user a member of a > > > > non-default-protected-group > > > >>and where that non-default-protected-group IS a member of a protected > > > > group. > > > >>* were those users somehow members of protected groups in the past? If > > > > they > > > >>were and now are not the admincount will not be reset to 0 > >> > >>Is this an answer to your issue? > >> > >>#JORGE# > >> > >>-----Original Message----- > >>From: [EMAIL PROTECTED] > >>To: [email protected] > >>Sent: 6/10/2005 8:35 PM > >>Subject: [ActiveDir] troubleshooting object permission inheritance > >> > >>Greetings -- > >> > >>Using adfind to identify users who have the AdminCount attribute set > > > > to > > > >>1. > >> > >>Looking at the output there are users who are expected to have that > > > > set > > > >>seeing that they are Domain Admins BUT i also see a handful of users > > > > who > > > >>are not members of a protected group. > >> > >>Using admod to set AdminCount=0 for those users temporarily sets it > >>until the PDC mechanism runs which compares the ACLs and resets it. > >> > >>If the user isn't in a protected group then what is causing this > >>behavior? And i guess once i know that i can set AdminCount=0 for > > > > them, > > > >>permanently? > >> > >>tia, > >> > >>john > >>List info : http://www.activedir.org/List.aspx > >>List FAQ : http://www.activedir.org/ListFAQ.aspx > >>List archive: > >>http://www.mail-archive.com/activedir%40mail.activedir.org/ > >> > >> > >>This e-mail and any attachment is for authorised use by the intended > > > > recipient(s) only. It may contain proprietary material, confidential > > information and/or be subject to legal privilege. It should not be > > copied, disclosed to, retained or used by, any other party. If you are > > not an intended recipient then please promptly delete this e-mail and > > any attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
