Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration.
on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups > setting the attribute to 0 only will not help.... > > to stop the adminsdholder from managing a certain group/user you either: > * remove it from a protected group, check inheritance and reset admincount to > <not > set> > * configure dsheuristics (forest-wide config) as mentioned in > http://support.microsoft.com/?id=817433 for some default protected groups (not > recommended as you should not use the default admin groups, but instead > delegate > stuff) > > also see: > http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : <see sender address> > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Graham Turner > Sent: Tue 2007-01-16 15:37 > To: [email protected] > Subject: [ActiveDir] adminsdholder > > > > Dear all, i think we experieincing issues re not being able to reset > permissions on > an object that was previously member of protected groups > > i have read that the issue is around the reset of the value of 'admincount' > attribute. > > as i learn this gets set to 1 when it is becomes a member of protected > groups, but > ju > > i wanted to confirm that is a 'supported' operation to merely reset this data > to 0 > to undo the effect of adminssdholder ?? > > or whether there are other changes that need to be considered. ? > > G > > > > > > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) > only. It may contain proprietary material, confidential information and/or be > subject to legal privilege. It should not be copied, disclosed to, retained > or used > by, any other party. If you are not an intended recipient then please promptly > delete this e-mail and any attachment and all copies and inform the sender. > Thank > you. > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
