Every hour, the domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACLs on members of the protected groups and compares them to the ACL on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACLs on the members of the administrative group are reset to match the ACL on the AdminSDHolder object. For more info on the ADMINSDHOLDER object see the following related KB articles Description and Update of the Active Directory AdminSDHolder Object --> MS-KBQ232199 (http://support.microsoft.com/?id=232199) AdminSDHolder Thread Affects Transitive Members of Distribution Groups --> MS-KBQ318180 (http://support.microsoft.com/?id=318180) Delegated permissions are not available and inheritance is automatically disabled --> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
Cheers, jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Ben D. Kusa Sent: Thu 11/10/2005 2:16 AM To: [email protected] Subject: [ActiveDir] some users do not have allow "inheritable permissions" set some users do not have allow "inheritable permissions" set. The only way I have found to reset that setting is to open each user and check that option off. I have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that option. Should that work? Or does anyone know any other way to set that option on multiple users Thanks Ben This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
