RE: [ActiveDir] AD Security permission continues to be "auto-removed"

[Marcus.Oh]

Salient point being “valid reason”…   J   :m:dsm:cci:mvp | marcusoh.blogspot.com   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 11:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   Only Sith deal in absolutes… :P   When you have a CIO that likes to be in the Domain Admins group, you sometimes have to pick your battles.   Todd   From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 10:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   There is no debate on admins having multiple creds, one for admin work and one for normal work. Just do it. :)   To put it nicely, if a company doesn't do this, they are just being silly[1].   I am trying to figure out if there is ever a valid reason I think that an admin should have a single ID in a company. I can't come up with one.      joe       [1] Instead of silly think of mean words used to describe really silly people.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 6:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" One more thing to add to this from my experience.   I think we had situations arise where someone was trying to pragmatically modify or read attributes on accounts in the protected groups and was not able to due to their membership within a protected group.  This of course started the hot debate on admins having multiple credentials, one for administrative duties, the other for collaborative and identity purposes.   Todd   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx   It's a bit headache-inducing, but at least you will get the benefit of knowing that it is "by design"   HTH Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Thursday, June 22, 2006 5:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security permission continues to be "auto-removed" We have some users that have mobile devices that connect to Exchange.  The 3rd party application uses a dedicated account to send mail from the devices.  This account needs to have "Send As..." permissions on each of the user accounts' security settings.  We have set it in all users (about two dozen) but one user in particular has a problem.  We set the permission and give it "Send As..." rights (just like all the others - no different), but usually within an hour, the newly added permission is gone - not just the "Send As" setting, but the whole account name is gone from this user's security settings as if we never added it in the first place.  We have five DC's and I have tried adding it from each DC with the same results.  I am baffled by this.  Does anyone have any suggestions?