I didnt review this entire thread - but keep in mind it is not only direct
membership - but transitive as well.
steve
----- Original Message -----
From: "John Singler" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, June 10, 2005 3:06 PM
Subject: RE: [ActiveDir] troubleshooting object permission inheritance
yes, admod'd them to 0 then changed the perms to Default (which turns on
inheritance).
Quoting Jorge de Almeida Pinto <[EMAIL PROTECTED]>:
have you also changed the inheritance setting of those accounts?
#JORGE#
-----Original Message-----
From: [EMAIL PROTECTED]
To: [email protected]
Sent: 6/10/2005 10:54 PM
Subject: Re: [ActiveDir] troubleshooting object permission inheritance
not a strange question ... i looked into that when i first started the
troubleshooting process .... Domain Users is a member of the Builtin
Users group which is not a protected group in my environment.
Just so i have it straight:
If a user is a member of a protected group it's AdminCount attribute
will be 1. If said user is removed from that group it's AdminCount
attribute will remain 1 until it is changed. Once it is removed from
the protected group and the attribute changed to 0 it should remain at 0
- yes?
Back to my problem - user is not a member of a protected group and i
can't change the Admin
Count to 0 w/o it being reset to 1.
thanks so far,
john
Jorge de Almeida Pinto wrote:
> John,
>
> OK, the users you are talking about are non-default-admin-users and
are not
> members of protected groups and never have been.
>
> Mayba a strange question.. which groups is the domain users group a
member
> of?
>
> #JORGE#
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> To: '[email protected] '
> Sent: 6/10/2005 10:10 PM
> Subject: Re: [ActiveDir] troubleshooting object permission inheritance
>
> Jorge --
>
> I was following those threads which unfortunately did not clue me in.
> The users that have AdminCount=1 but shouldn't have never been in a
> protected group nor are they in a non protected group that is nested
in
> protected group.
>
> I have even gone so far as to remove all group memberships (besides
> Domain Users) for a particular user, force replication, admod the
> attribute to 0 and still it resets to 1 after an hour.
>
> Thanks for the reply - i'd appreciate any more feedback you may have.
>
> john
>
> Jorge de Almeida Pinto wrote:
>
>>Hi,
>>
>>This was a thread that was discussed a few days ago. See the following
>
> post
>
>>from Joe where he explains some things in addition to my own post.
>>http://www.mail-archive.com/[email protected]/msg29621.html
>>
>>HINTS:
>>* nested groups -> is that user a member of a
>
> non-default-protected-group
>
>>and where that non-default-protected-group IS a member of a protected
>
> group.
>
>>* were those users somehow members of protected groups in the past? If
>
> they
>
>>were and now are not the admincount will not be reset to 0
>>
>>Is this an answer to your issue?
>>
>>#JORGE#
>>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>To: [email protected]
>>Sent: 6/10/2005 8:35 PM
>>Subject: [ActiveDir] troubleshooting object permission inheritance
>>
>>Greetings --
>>
>>Using adfind to identify users who have the AdminCount attribute set
>
> to
>
>>1.
>>
>>Looking at the output there are users who are expected to have that
>
> set
>
>>seeing that they are Domain Admins BUT i also see a handful of users
>
> who
>
>>are not members of a protected group.
>>
>>Using admod to set AdminCount=0 for those users temporarily sets it
>>until the PDC mechanism runs which compares the ACLs and resets it.
>>
>>If the user isn't in a protected group then what is causing this
>>behavior? And i guess once i know that i can set AdminCount=0 for
>
> them,
>
>>permanently?
>>
>>tia,
>>
>>john
>>List info : http://www.activedir.org/List.aspx
>>List FAQ : http://www.activedir.org/ListFAQ.aspx
>>List archive:
>>http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>This e-mail and any attachment is for authorised use by the intended
>
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender. Thank you.
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
