RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Derek Harris]

Print operators is a protected group in 2k3.  Robert Williams' post included a full list of the protected groups in 2k & 2k3.  The AdminSDHolder attribute is set to 1 for members of protected groups.  Another admin thought that several users needed to be in the print operators group to manage print jobs.

 

Here's Robert's post:
>>>>>>>>
Maybe AdminSDHolder is biting you?

Here’s an article that talks about the Send-As specifically, but it’s more than just that:

http://support.microsoft.com/kb/907434/

If the user in question is a member of any of the following groups, then you could be seeing this:

The following list describes the protected groups in Windows 2000:

•	Enterprise Admins
•	Schema Admins
•	Domain Admins
•	Administrators

The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4:

•	Administrators
•	Account Operators
•	Server Operators
•	Print Operators
•	Backup Operators
•	Domain Admins
•	Schema Admins
•	Enterprise Admins
•	Cert Publishers

Additionally the following users are also considered protected:

•	Administrator
•	Krbtgt

The above was taken from:  http://support.microsoft.com/kb/817433/

Robert Williams 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, September 07, 2006 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

Can you elaborate? What do you mean by "protected groups", and how did modifying the membership of the Print Operators group cause you grief?

 

Thanks!

 

Laura

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris
Sent: Thursday, September 07, 2006 12:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD object (User accounts) Permissions dissappearing

Did someone put that account into one of the protected groups?  "Print operators" caused us a lot of grief a while ago.

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Thursday, September 07, 2006 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing

Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users.

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.

Thanks,

...D