The user does not have to be directly in a protected group. This can happen with nested groups many layers deep.
Mark -----Original Message----- From: John Singler <[EMAIL PROTECTED]> Date: Fri, 10 Jun 2005 14:35:07 To:"[email protected]" <[email protected]> Subject: [ActiveDir] troubleshooting object permission inheritance Greetings -- Using adfind to identify users who have the AdminCount attribute set to 1. Looking at the output there are users who are expected to have that set seeing that they are Domain Admins BUT i also see a handful of users who are not members of a protected group. Using admod to set AdminCount=0 for those users temporarily sets it until the PDC mechanism runs which compares the ACLs and resets it. If the user isn't in a protected group then what is causing this behavior? And i guess once i know that i can set AdminCount=0 for them, permanently? tia, john List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
