pls. do not confuse the option to "Allow inheritable permissions... include with entries explicitely DEFINED here" underneath the list of permissions with options to scope each permission listed in the "Apply To" or with the "Inherited From "column.
The "Allow inhertiable perms..." option controls if this OU inherits other permissions FROM THE TOP (unchecking the box "protects" the OU from permissions that would inherit down from above). The "inhertited from" column is correct in stating "not inherited" as you've just added the permission _explicitely_ to this OU and it is NOT inherited from a partent OU. But you have to set the scope for each of the permission WHICH YOU SET on the OU by clicking that permission and then setting selecting the appropriate option in the "Apply onto:" dropdown list => this is where you define if YOUR permission will be inherited down to other OUs. You're probably best off to choose the "This object and all child objects" option. You will then see that the permission is applied to the sub-OUs and here you'll see YOUR OU as the one where they have "Inherited From" your permission. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Donnerstag, 11. August 2005 18:43 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Not inheritting permissions When looking on my OU go to Properties -> Security -> Advanced, find your permission there is already check mark in front of : Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly denied here" but listed under the permission entries under "inherited from" it says "not inherited." Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 11, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Not inheritting permissions looks like you've manually added a permission at the OU level and didn't supply the scope for it => on your OU go to Properties -> Security -> Advanced, find your permission and then choose to apply the permission to "this objects and all child objects". This won't be required for permissions that you apply for a specific object-type, as this always inherits down the tree (if you don't limit that specific ACE) /Guido ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Donnerstag, 11. August 2005 18:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Not inheritting permissions In my 2000 AD I have some of my OU's set to "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly denied here" however, the OU's below them are not really inheriting the permissions (even though the check mark shows they are). In addition, all of the user accounts below these OU's are set to Inherit permissions also, and are not really inheriting the permissions. Anyone have any thoughts on this, other than manually changing the permissions on every user account manually? Thanks, Brenda Brenda Casey Network Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
