|
Posted by markbritt on January 4, 2007, 3:28 pm
Please log in for more thread options That did the trick. Thanks all.
Mark
Joe Richards [MVP] wrote:
> After you clear admincount you need to reenable inheritence on the ACL,
> look under the security tab in advanced. The sdprop thread only takes
> permissions away when admincount is 1, it doesn't put perms back in
> place if admincount isn't 1, that would be a trainwreck.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
> markbritt wrote:
> > Laura:
> > Thanks for the info - indeed both accounts had the admincount attribute
> > set to 1. Set it to 0. According to the link you provided, it could
> > take about an hour before the thread will run. Checked these accounts
> > 2 hours later and while the attribute is set to 0, I still dont have
> > the HelpDesk group listed in the Security tab, nor am I able to modify
> > the lockout on these two accounts. Did I need to do something else
> > other than change this attribute?
> >
> > Thanks,
> > Mark
> >
> > Laura E. Hunter [MVP] wrote:
> >> You're seeing a behaviour related to the adminSDHolder process, see the
> >> following article for an explanation of what's happening:
> >> http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx.
> >>
> >> To correct the issue for the 2 accounts who are no longer members of any
> >> protected groups, simply modify the user objects using ADSI Edit (or
> >> adfind/admod from www.joeware.net) and set their admincount attribute to a
> >> value of zero (0).
> >>
> >> HTH
> >>
> >> --
> >> Laura E. Hunter
> >> Microsoft MVP: Windows Server - Networking
> >> Author: _Active Directory Consultant's Field Guide_
> >> (http://tinyurl.com/7f8ll)
> >> Author: _Active Directory Cookbook, Second Edition_
> >> (http://tinyurl.com/z7svl)
> >>
> >> Responses provided as-is; no warranties expressed or implied
> >>> Created a group called HelpDesk that will allow those users to unlock
> >>> an account via a custom MMC console. The group HelpDesk has four IT
> >>> members in it. In AD Users and Computers, I highlighted the domain and
> >>> involked the Delegation of Control wizard. I added the HelpDesk group
> >>> and allowed them to 'reset' the password. I then went into the
> >>> permissions and checked the Write LockoutTime and ReadLockoutTime
> >>> values and saved.
> >>>
> >>> When I look at my Users Accounts OU, the security tab (advanced view)
> >>> for all members shows the HelpDesk having special permissions - EXCEPT
> >>> for 2 of the accounts. Both of these accounts were part of Domain
> >>> Admins some time ago, but have been removed from that account. This
> >>> was done before the HelpDesk group was even created. It appears that
> >>> once one of my users is part of the Domain Admins group, the delgate
> >>> permissions do not apply to them. Is this correct? What can I do to
> >>> force the inherited permissons from the OU to apply two my 2 'orphaned
> >>> users'? Any helpd would be appreciated.
> >>>
> >>> Thanks,
> >>> Mark
> >>>
> >
| 
XML Sitemap