Re: [ActiveDir] Speaking of Adminsdholder...

[Tom Kern]

Thanks but I reset the inheritance to allow thru the gui..

 

Still doesn't work.

The groups this admin is a part of do not have any denies anywhere in AD.

The user whose mailbox he's trying to delete is just a member of Domain Users since yesterday.

 

What the heck is preventing him from deleting this mailbox(also other parts of the account are grayed out for this admin)?

 

On 4/25/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:

Hello Tom,

 

usually adminCount should be reset if the account does not belong to any administrative groups anymore, but it may take up to one hour as (AFAIK) the adminSdHolder-process is responsible for that as well. However it does not reset the SE_DACL_Protected bit in the Control-property of the ntSecurityDescriptor (AKA the inheritance flag). There's a script in KB 817433 [1] which looks for userobjects with Admincount = 0 and resets the inheritance flag.

 

[1] http://support.microsoft.com/?id=817433#E0VB0ADAAA

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:    http://mvp.support.microsoft.com/profile="">   

 

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern

Sent: Tuesday, April 25, 2006 4:16 PM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Speaking of Adminsdholder...

 

You were right, the adminCount was still set to 1 but after clearing it, the admin still can't delete the mailbox.

DO i have to reset the perms on that ou or user object?

 

If so, what is the "normal" method for getting accounts back to thier defaul after they have been taken out of a protected group?

 

I thought this kind of stuff would happen automatically....

 

Thanks

 

On 4/25/06, Freddy HARTONO <[EMAIL PROTECTED] > wrote:

I usually reset via gui - (Default button under advanced) or I believe dsacls /s should do it as well

Thank you and have a splendid day!

 

Kind Regards,

 

Freddy Hartono

Group Support Engineer

InternationalSOS Pte Ltd

mail: [EMAIL PROTECTED]

phone: (+65) 6330-9785

 

 

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, April 25, 2006 3:36 AM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Speaking of Adminsdholder...

 

Thats what I thought.

 

But I have a admin who is an Account Operator and in a group which has Exchange Full Admin rights on the Org who gets an access denied error when trying to delete an exchange mailbox

 

The user he is trying to delete used to be an Account Op but I took him out of the group days ago and set perms to inherit on his account.

 

This admin can delete the mailbox of any Domain User account but not this one.

 

This account is a member of 2 other groups which are just regular global groups and are not nested into any of the protected groups.

In fact the groups are not nested in any groups.

 

What could be preventing him from deleting his mailbox?

This admin is not a member of any groups which have denies(explicit or inherited) that i can see.

 

Thanks

 

 

 

 

On 4/24/06, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote:

The behavior is not due to their being in a group given "Exchange Full Admin"
rights. The behavior is due to those accounts belonging to groups that are
protected by adminsdholder. The default protected groups (in 2K3, 2K-SP4, and
2K-with-KB327835 AD environments) are:
*       Administrators
*       Account Operators
*       Server Operators
*       Print Operators
*       Backup Operators
*       Domain Admins
*       Schema Admins
*       Enterprise Admins
*       Cert Publishers


Sincerely,
  _____
(, /  |  /)               /)     /)
   /---| (/_  ______   ___// _   //  _
) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/                             /)
                              (/
Microsoft MVP - Directory Services

www.readymaids.com < http://www.readymaids.com>  - we know IT
www.akomolafe.com < http://www.akomolafe.com>
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


________________________________

From: [EMAIL PROTECTED] on behalf of Tom Kern

Sent: Mon 4/24/2006 10:15 AM
To: activedirectory
Subject: [ActiveDir] Speaking of Adminsdholder...


Does this affect users who have been delegated Exchange Full Admin access?

I have a admin who can only delete mail attributes of regular users but not
users who are in the group given Exchange Full Admin rights.

Is this the adminSDHolder?

The admin in question is an Account Operator.
The users he can't delete mail attribs from are just members of Domain Users
and the Exchange Full Admin group.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/