[ExchangeList] Re: Active directory permissions

  • From: "Jason Sherry" <Jason.Sherry@xxxxxxxxxxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 2 May 2006 17:17:58 -0400


There is an object in the AD called AdminSDHolder, under Domain\System
in ADSIEdit.  The object stores the permissions for any object that is a
member of an administrative group (see KB318180 for these groups) in the
AD.  In Windows 2000, not sure if this changed in 2003, the PDCE role
holder DC enumerates the objects that are a member of this group and
resets the permissions on them if they are different than the
permissions on AdminSDHolder.


This might be were the odd permissions are being set from.






Jason Sherry - Pro Exchange http://www.theproexchange.com


From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Rich Gallo
Sent: Tuesday, May 02, 2006 11:14 AM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Re: Active directory permissions


There are groups in AD in which you can't change the permissions of the
membership (in other words, if users are a member of the Domain Admins
group, changing permissions at that group level usually won't take and
will remove anything that you add or change).  I believe this happens
with all built-in groups such as Domain Admins.  


Let me try to give you an example:


You are trying to give User A the Send As permission for another user,
User B.  So you go into User B and add User A's account and assign the
appropriate permissions.  15 minutes later, you go in to User B's
permissions and find that User A was "mysteriously" removed.  Why did
this happen??  There is a process that runs in AD that checks all the
permissions in specified groups (I know Domain Admins is one of them,
not sure of the others).  If anything doesn't jive with what it should
be, permissions are reverted back to their original state.  Why does
this affect User B you ask??  Well, User B is somehow a member of the
Domain Admins group or some other group that this AD process affects.
If you don't know the exact group membership of a user, you may have to
do some investigative work to find out and remove that user.  FUN!



I hope that helps a little.  Anyone agree with me, as I may not be
explaining this correctly.... :-) 



From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Sohail Malik
Sent: Tuesday, May 02, 2006 12:36 PM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Active directory permissions


Hi All


I am facing with a strange issue at the moment with AD, I have noticed
that in one of my admin account permission settings

 has every one group with change password permission with two unknown
accounts  (scary aint) I have tried removing the accounts and every one
group from the security settings but after a while it  revert back  to
same old settings.. Please help.





  Sohail Malik

   IT Analyst


GIF image

Other related posts: