even if you remove the person from the "protected" group, the AdminCount=1 is
not automatically cleared, so it is still possible for the permission to
still disappear even though the user is no longer in any "Protected" group.
You will have to consciously and manually reset the AdminCount attribute to 0
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com> - we know IT
www.akomolafe.com <http://www.akomolafe.com>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 4/24/2006 12:36 PM
To: [email protected]
Subject: Re: [ActiveDir] Speaking of Adminsdholder...
Thats what I thought.
But I have a admin who is an Account Operator and in a group which has
Exchange Full Admin rights on the Org who gets an access denied error when
trying to delete an exchange mailbox
The user he is trying to delete used to be an Account Op but I took him out
of the group days ago and set perms to inherit on his account.
This admin can delete the mailbox of any Domain User account but not this
one.
This account is a member of 2 other groups which are just regular global
groups and are not nested into any of the protected groups.
In fact the groups are not nested in any groups.
What could be preventing him from deleting his mailbox?
This admin is not a member of any groups which have denies(explicit or
inherited) that i can see.
Thanks
On 4/24/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> > wrote:
The behavior is not due to their being in a group given "Exchange
Full Admin"
rights. The behavior is due to those accounts belonging to groups
that are
protected by adminsdholder. The default protected groups (in 2K3,
2K-SP4, and
2K-with-KB327835 AD environments) are:
* Administrators
* Account Operators
* Server Operators
* Print Operators
* Backup Operators
* Domain Admins
* Schema Admins
* Enterprise Admins
* Cert Publishers
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com/> <
http://www.readymaids.com <http://www.readymaids.com/> > - we know IT
www.akomolafe.com <http://www.akomolafe.com/>
<http://www.akomolafe.com <http://www.akomolafe.com/> >
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 4/24/2006 10:15 AM
To: activedirectory
Subject: [ActiveDir] Speaking of Adminsdholder...
Does this affect users who have been delegated Exchange Full Admin
access?
I have a admin who can only delete mail attributes of regular users
but not
users who are in the group given Exchange Full Admin rights.
Is this the adminSDHolder?
The admin in question is an Account Operator.
The users he can't delete mail attribs from are just members of
Domain Users
and the Exchange Full Admin group.
Thanks
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
