Re: [ActiveDir] Speaking of Adminsdholder...

[Tom Kern]

You were right, the adminCount was still set to 1 but after clearing it, the admin still can't delete the mailbox.

DO i have to reset the perms on that ou or user object?

 

If so, what is the "normal" method for getting accounts back to thier defaul after they have been taken out of a protected group?

 

I thought this kind of stuff would happen automatically....

 

Thanks

 

On 4/25/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote:

I usually reset via gui - (Default button under advanced) or I believe dsacls /s should do it as well

Thank you and have a splendid day!

 

Kind Regards,

 

Freddy Hartono

Group Support Engineer

InternationalSOS Pte Ltd

mail: [EMAIL PROTECTED]

phone: (+65) 6330-9785

 

 

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, April 25, 2006 3:36 AM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Speaking of Adminsdholder...

 

Thats what I thought.

 

But I have a admin who is an Account Operator and in a group which has Exchange Full Admin rights on the Org who gets an access denied error when trying to delete an exchange mailbox

 

The user he is trying to delete used to be an Account Op but I took him out of the group days ago and set perms to inherit on his account.

 

This admin can delete the mailbox of any Domain User account but not this one.

 

This account is a member of 2 other groups which are just regular global groups and are not nested into any of the protected groups.

In fact the groups are not nested in any groups.

 

What could be preventing him from deleting his mailbox?

This admin is not a member of any groups which have denies(explicit or inherited) that i can see.

 

Thanks

 

 

 

 

On 4/24/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote:

The behavior is not due to their being in a group given "Exchange Full Admin"
rights. The behavior is due to those accounts belonging to groups that are
protected by adminsdholder. The default protected groups (in 2K3, 2K-SP4, and
2K-with-KB327835 AD environments) are:
*       Administrators
*       Account Operators
*       Server Operators
*       Print Operators
*       Backup Operators
*       Domain Admins
*       Schema Admins
*       Enterprise Admins
*       Cert Publishers


Sincerely,
  _____
(, /  |  /)               /)     /)
   /---| (/_  ______   ___// _   //  _
) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/                             /)
                              (/
Microsoft MVP - Directory Services

www.readymaids.com < http://www.readymaids.com>  - we know IT
www.akomolafe.com < http://www.akomolafe.com>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


________________________________

From: [EMAIL PROTECTED] on behalf of Tom Kern

Sent: Mon 4/24/2006 10:15 AM
To: activedirectory
Subject: [ActiveDir] Speaking of Adminsdholder...


Does this affect users who have been delegated Exchange Full Admin access?

I have a admin who can only delete mail attributes of regular users but not
users who are in the group given Exchange Full Admin rights.

Is this the adminSDHolder?

The admin in question is an Account Operator.
The users he can't delete mail attribs from are just members of Domain Users
and the Exchange Full Admin group.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/