>>> usually adminCount should be reset if the account does not belong to any >>> administrative groups anymore, but it may take up to one hour as (AFAIK) >>> the adminSdHolder-process is responsible for that as well are you saying "the adminsdholder process on the PDC FSMO also resets the admincount to 0 when not member of protected groups?" are you sure? if security principal is member of a protected group then the inheritance flag is removed, the ACLs on the object are reset to match the adminsdholder ACLs and adminCount is set to 1 when removing the security principal from the protected group, the inheritance flag remains gone and adminCount remains set to 1. You have to change both manually. Also see: http://www.mail-archive.com/[email protected]/msg36168.html Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________ From: [EMAIL PROTECTED] on behalf of Ulf B. Simon-Weidner Sent: Tue 2006-04-25 22:34 To: [email protected] Subject: RE: [ActiveDir] Speaking of Adminsdholder... Hello Tom, usually adminCount should be reset if the account does not belong to any administrative groups anymore, but it may take up to one hour as (AFAIK) the adminSdHolder-process is responsible for that as well. However it does not reset the SE_DACL_Protected bit in the Control-property of the ntSecurityDescriptor (AKA the inheritance flag). There's a script in KB 817433 [1] which looks for userobjects with Admincount = 0 and resets the inheritance flag. [1] http://support.microsoft.com/?id=817433#E0VB0ADAAA Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz <http://tinyurl.com/44zcz> Weblog: http://msmvps.org/UlfBSimonWeidner <http://msmvps.org/UlfBSimonWeidner> Website: http://www.windowsserverfaq.org <http://www.windowsserverfaq.org/> Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D <http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D> ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, April 25, 2006 4:16 PM To: [email protected] Subject: Re: [ActiveDir] Speaking of Adminsdholder... You were right, the adminCount was still set to 1 but after clearing it, the admin still can't delete the mailbox. DO i have to reset the perms on that ou or user object? If so, what is the "normal" method for getting accounts back to thier defaul after they have been taken out of a protected group? I thought this kind of stuff would happen automatically.... Thanks On 4/25/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote: I usually reset via gui - (Default button under advanced) or I believe dsacls /s should do it as well Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Tom Kern Sent: Tuesday, April 25, 2006 3:36 AM To: [email protected] Subject: Re: [ActiveDir] Speaking of Adminsdholder... Thats what I thought. But I have a admin who is an Account Operator and in a group which has Exchange Full Admin rights on the Org who gets an access denied error when trying to delete an exchange mailbox The user he is trying to delete used to be an Account Op but I took him out of the group days ago and set perms to inherit on his account. This admin can delete the mailbox of any Domain User account but not this one. This account is a member of 2 other groups which are just regular global groups and are not nested into any of the protected groups. In fact the groups are not nested in any groups. What could be preventing him from deleting his mailbox? This admin is not a member of any groups which have denies(explicit or inherited) that i can see. Thanks On 4/24/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: The behavior is not due to their being in a group given "Exchange Full Admin" rights. The behavior is due to those accounts belonging to groups that are protected by adminsdholder. The default protected groups (in 2K3, 2K-SP4, and 2K-with-KB327835 AD environments) are: * Administrators * Account Operators * Server Operators * Print Operators * Backup Operators * Domain Admins * Schema Admins * Enterprise Admins * Cert Publishers Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com <http://www.readymaids.com/> > - we know IT www.akomolafe.com <http://www.akomolafe.com/> < http://www.akomolafe.com <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 4/24/2006 10:15 AM To: activedirectory Subject: [ActiveDir] Speaking of Adminsdholder... Does this affect users who have been delegated Exchange Full Admin access? I have a admin who can only delete mail attributes of regular users but not users who are in the group given Exchange Full Admin rights. Is this the adminSDHolder? The admin in question is an Account Operator. The users he can't delete mail attribs from are just members of Domain Users and the Exchange Full Admin group. Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
