There is an object in the AD called AdminSDHolder, under Domain\System in ADSIEdit. The object stores the permissions for any object that is a member of an administrative group (see KB318180 for these groups) in the AD. In Windows 2000, not sure if this changed in 2003, the PDCE role holder DC enumerates the objects that are a member of this group and resets the permissions on them if they are different than the permissions on AdminSDHolder. This might be were the odd permissions are being set from. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/?kbid=232199 Jason Sherry - Pro Exchange http://www.theproexchange.com ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Rich Gallo Sent: Tuesday, May 02, 2006 11:14 AM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: Active directory permissions There are groups in AD in which you can't change the permissions of the membership (in other words, if users are a member of the Domain Admins group, changing permissions at that group level usually won't take and will remove anything that you add or change). I believe this happens with all built-in groups such as Domain Admins. Let me try to give you an example: You are trying to give User A the Send As permission for another user, User B. So you go into User B and add User A's account and assign the appropriate permissions. 15 minutes later, you go in to User B's permissions and find that User A was "mysteriously" removed. Why did this happen?? There is a process that runs in AD that checks all the permissions in specified groups (I know Domain Admins is one of them, not sure of the others). If anything doesn't jive with what it should be, permissions are reverted back to their original state. Why does this affect User B you ask?? Well, User B is somehow a member of the Domain Admins group or some other group that this AD process affects. If you don't know the exact group membership of a user, you may have to do some investigative work to find out and remove that user. FUN! I hope that helps a little. Anyone agree with me, as I may not be explaining this correctly.... :-) ________________________________ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Sohail Malik Sent: Tuesday, May 02, 2006 12:36 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Active directory permissions Hi All I am facing with a strange issue at the moment with AD, I have noticed that in one of my admin account permission settings has every one group with change password permission with two unknown accounts (scary aint) I have tried removing the accounts and every one group from the security settings but after a while it revert back to same old settings.. Please help. SWIIS UK LTD Sohail Malik IT Analyst e:sohail.malik@xxxxxxxxx