Re: [ActiveDir] AD Security permission continues to be "auto-removed"

[J B]

I should add that I have fixed the problem by using method #3 as posted here:  http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx  This particular account is a member of the "Account Operators" group - which was the one causing the "problem". ----- Original Message ----- From: joe To: ActiveDir@mail.activedir.org Sent: Friday, June 23, 2006 9:12 AM Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Yeah, like rename Domain Admins to "Unimportant People" and create a new group called Domain Admins and put the CIO in it. There is no excuse for a CIO to be in Domain Admins unless the company is under 5 people.   The only people who should be in domain admins are the people you expect to fix everything when the world hits the floor. If someone isn't in that category, they don't get rights to modify everything because it just puts them in a position to cause work for someone else.   I would tell that to the CIO of any company. If the CIO wants, he can hold the envelope that has the password for the builtin Admin account, that password should be like 250 characters so he/she isn't interested in actually trying to use it.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 11:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" Only Sith deal in absolutes :P   When you have a CIO that likes to be in the Domain Admins group, you sometimes have to pick your battles.   Todd   From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 10:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   There is no debate on admins having multiple creds, one for admin work and one for normal work. Just do it. :)   To put it nicely, if a company doesn't do this, they are just being silly[1].   I am trying to figure out if there is ever a valid reason I think that an admin should have a single ID in a company. I can't come up with one.      joe       [1] Instead of silly think of mean words used to describe really silly people.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, June 23, 2006 6:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed" One more thing to add to this from my experience.   I think we had situations arise where someone was trying to pragmatically modify or read attributes on accounts in the protected groups and was not able to due to their membership within a protected group.  This of course started the hot debate on admins having multiple credentials, one for administrative duties, the other for collaborative and identity purposes.   Todd   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 22, 2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Security permission continues to be "auto-removed"   I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx   It's a bit headache-inducing, but at least you will get the benefit of knowing that it is "by design"   HTH Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Thursday, June 22, 2006 5:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security permission continues to be "auto-removed" We have some users that have mobile devices that connect to Exchange.  The 3rd party application uses a dedicated account to send mail from the devices.  This account needs to have "Send As..." permissions on each of the user accounts' security settings.  We have set it in all users (about two dozen) but one user in particular has a problem.  We set the permission and give it "Send As..." rights (just like all the others - no different), but usually within an hour, the newly added permission is gone - not just the "Send As" setting, but the whole account name is gone from this user's security settings as if we never added it in the first place.  We have five DC's and I have tried adding it from each DC with the same results.  I am baffled by this.  Does anyone have any suggestions?