Um, I am an 1D10T. Users in question didn't have "Include inheritable permissions from this object's parent". That explains why the symptom is.....not inheriting permissions from its parent.
Check that little box and presto. No idea how some of those got unchecked, dunno if it's worth to look in to, either. Thanks for the cycles Michael, I appreciate the effort! Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 11:40 AM To: NT System Admin Issues Subject: RE: Permission propegation in AD..."KindaSorta brokedid" I would start off by checking to see if the users that it DOESN'T work on have some particular group membership in common. Like, oh, Administrators. Or Power Users. Or something. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: David Lum [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 2:12 PM To: NT System Admin Issues Subject: RE: Permission propegation in AD..."KindaSorta brokedid" I was afraid of that answer, especially the "metric gazillion". Yes I can manually create it per user, but it's a *major* PITA, I'm checking off 14 different attributes.... I have tried moving users from one OU to another but it seems like, as you said, the user object itself has inheritance blocked...curious that the "Account Unknown" even shows in the first place. I need to find the root cause because it tells me I have something not working as expected... Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 10:24 AM To: NT System Admin Issues Subject: RE: Permission propegation in AD..."KindaSorta brokedid" So ADUC says "Account Unknown"? Then that's something else entirely. I doubt highly it's your newly created group....(name2sid is a utility that could 100% verify that, but try something else first...). That user object, for whatever reason, has inheritance blocked on it. There could be, oh, a metric gazillion reasons why. Have you attempted to manually add the group to that user? Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: David Lum [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 1:15 PM To: NT System Admin Issues Subject: RE: Permission propegation in AD..."KindaSorta brokedid" Long version. rDirectory (basically a non-tech-friendly GUI to AD) has an "edit" button available if the receptionist has permissions to change anything for a given user. The receptionist gave me a list of users with no "edit" button...and in each case it corresponds to the security group I created (PHONE-ADDR ACCESS) not being listed in the Security tab of that user in ADUC. I see "Account unknown" and a SID, so it's like it mostly makes it but can't resolve the SID to a name. Put another way, for receptionist Bill to modify the department data of Ted, the PHONE-ADDR ACCESS group (which Bill is a member of) needs permissions on Ted's Active Directory account. I went to my User OU (via ADUC) and gave PHONE-ADDR ACCESS permissions to some AD user fields and said "propagate this down". Propagation doesn't seem to complete to all user objects in the same OU, just most of them. Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 9:56 AM To: NT System Admin Issues Subject: RE: Permission propegation in AD..."KindaSorta brokedid" I don't understand. Who is doing the looking? The receptionist? Or the users? How are they (whoever "they" are) doing the looking? Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: David Lum [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 10:10 AM To: NT System Admin Issues Subject: Permission propegation in AD..."KindaSorta brokedid" I created a group for delegation so our receptionist can use rDirectory (3rd party app) to change some selected AD properties (Job title, manager, etc) in an OU I have (\Oregon Users). I have this group set to be able to read/write roomNumber and set to "apply to descendant user objects". I have OU's under \Oregon Users and the permissions propagate down, but I have several users (a couple dozen?) when looking at their security shows "account unknown" instead of the group name that I created. For a given OU it might show 30 users security settings as expected, but a few in the same OU have the "account unknown". Any ideas on what to do or where to look to fix this? Dave Lum - Systems Engineer [EMAIL PROTECTED] - (971)-222-1025 "When you step on the brakes your life is in your foot's hands" ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
