the attribute admincount=1 when an account was/is a member of a protected group... besides checking the inheritance option you need to make admincount=0 Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Ben D. Kusa Sent: Fri 11/11/2005 5:16 PM To: [email protected] Subject: RE: [ActiveDir] some users do not have allow "inheritable permissions" set Thanks for the info. It looks like the users were once part of a protected group, I reset the inheritance flag and it holds on the users after that process that runs every hour. ________________________________ Hi Ben, Putting aside AdminSDHolder for a moment....maybe you were looking for the /P:N option instead? Of course this may increase the number of ACEs on the object more than what you'd like, but I saw the /I:T thing and thought that's more applicable to the parent object, rather than the leaf object. Hopefully I understood correctly... -DaveC ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, November 10, 2005 1:19 AM To: [email protected] Subject: RE: [ActiveDir] some users do not have allow "inheritable permissions" set Just out of curiosity when you go back an hour later is the box unchecked? This really sounds like the work of AdminSDHolder and the users in question are likely members of protected groups. If you have not looked at the following Knowledge Base article you may want to see if this is what you are running into: http://support.microsoft.com/default.aspx?scid=kb;en-us;817433. Thanks, -Steve ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben D. Kusa Sent: Wednesday, November 09, 2005 7:17 PM To: [email protected] Subject: [ActiveDir] some users do not have allow "inheritable permissions" set some users do not have allow "inheritable permissions" set. The only way I have found to reset that setting is to open each user and check that option off. I have tried running dsacls OU=ou,DC=dc,DC=dc /I:T and it seems to go through ok but does not reset that option. Should that work? Or does anyone know any other way to set that option on multiple users Thanks Ben This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
