I'm doing this for a couple of my clients, for their helpdesks, even though (in general) I think it's a bad idea.
Use dsacls to do a complete dump on an affected object, and if that doesn't answer your question, post it here (or I guess send it to me directly, although I'd rather everyone get to be involved)... From: Christopher Bodnar [mailto:[email protected]] Sent: Thursday, December 03, 2009 3:43 PM To: NT System Admin Issues Subject: Permissions on AdminSDHolder I've brought this up before, but have been running into some more issues. Anyone else modifying the permission on the AdminSDHolder object to grant permissions as described in this KB article? http://support.microsoft.com/?id=817433 In our scenario I've got different support groups that need different rights. One group needs to reset passwords for example, while another might need that and to manipulate GPOs. The problem is just on accounts that are in protected groups. Everything looks like it works as far as permissions go. For example I've created a group and given it permission on the AdminSDHolder object and after an hour I see that they have propagated to user accounts in protected groups (i.e. Account Operators). But when I look at effective permissions, they aren't' there. Almost like something is overwriting or blocking them. I see no specific deny anywhere in the ACLs. Very frustrating. Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
