Re: Changes to ACL disappear
From: Tim Springston [MS] (tspring_at_online.microsoft.com)
Date: Wed, 22 Sep 2004 16:27:26 -0500
Sounds like method 2 would work best for your situation. Please repost if
we can help further.
-- Tim Springston Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "pdx" <email@example.com> wrote in message news:E88C9DEA-53F6-4FFA-806B-236B3A703B25@microsoft.com... > Thanks for the info. Since "Domain Users" in my domain are members of > "Print > Operators", a reading of KB 817433 gave me an understanding of why my ACE > changes are "disappearing". Every hour the entries are replaced by the ACL > for adminSDHolder. > > I'm still a bit unclear on a solution. > > Method 2 seems to be the way to go for me; the way I read it enabling > inheritance on the adminSDHolder container will stop the ACE entries from > being overwritten. I will no longer have inheritance protection for > administrative users but since I'm the only admin in my domain - and I'm > relatively safe from myself - this shouldn't be a problem. > > The implications of Method 1 were unclear to me. Running the ldifde > command > showed that all accounts in my domain have the AdminCount attribute set to > 1 > (as the result of "Print Operators" membership ?). > I don't know what the implications would be for administrative/Exchange > service accounts to set the AdminCount to 0. Plus, I would have to remove > "Domain Users' from "Print Operators" for this to work. I inherited this > set > up and removing the group from Print Operators would take away access > users > have had for a long time (and add extra admin work for me). If I removed > Domain Users and added individual accts - or a group - to Print Operators > the > AdminCount attribute would still be set to 1 and my problem would still > exist > for the accounts in question. > > Method 3 seems to mean that I would have to - in effect - give everybody > "Send As" access to everyone else's mailbox. > > Sorry about the lengthy question. As far as you can see does Method 2 seem > to offer a solution to my problem? > > > > > "Tim Springston [MS]" wrote: > >> The article they provided to you may still be the culprit. There is >> enhanced >> functionality for the AdminSDHolder feature that will re-ACL based on >> transitive group membership in protected security groups. >> >> Here's an additional article or two regarding that: >> >> 817433 Delegated permissions are not available and inheritance is >> automatically >> http://support.microsoft.com/?id=817433 >> >> 318180 AdminSDHolder Thread Affects Transitive Members of Distribution >> Groups >> http://support.microsoft.com/?id=318180 >> >> Please repost if that does not help, or if you have any additional >> questions >> or concerns. >> >> -- >> Tim Springston >> Microsoft Corporation >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> >> >> "pdx" <firstname.lastname@example.org> wrote in message >> news:D1D579EF-E1A0-47EB-ADED-7EF230FEB42D@microsoft.com... >> > When I use ADUC and give a user "Send As" rights in the ACL of the >> > target >> > user's account, the ACE that I added eventually disappears. I was >> > pointed >> > to >> > KB 232199 by someone on the Exchange 2000 newsgroup but that doesn't >> > seem >> > to >> > apply and running "dsacls" came back with the proper permissions. >> > >> > I need the ability to give users "Send As" rights and I'm at a loss so >> > any >> > ideas will be appreciated. >> > >> > >> >> >>