Re: Changes to ACL disappear

From: Tim Springston [MS] (tspring_at_online.microsoft.com)
Date: 09/22/04


Date: Wed, 22 Sep 2004 16:27:26 -0500

Sounds like method 2 would work best for your situation. Please repost if
we can help further.

-- 
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"pdx" <pdx@discussions.microsoft.com> wrote in message 
news:E88C9DEA-53F6-4FFA-806B-236B3A703B25@microsoft.com...
> Thanks for the info. Since "Domain Users" in my domain are members of 
> "Print
> Operators", a reading of KB 817433 gave me an understanding of why my ACE
> changes are "disappearing". Every hour the entries are replaced by the ACL
> for adminSDHolder.
>
> I'm still a bit unclear on a solution.
>
> Method 2 seems to be the way to go for me; the way I read it enabling
> inheritance on the adminSDHolder container will stop the ACE entries from
> being overwritten. I will no longer have inheritance protection for
> administrative users but since I'm the only admin in my domain - and I'm
> relatively safe from myself - this shouldn't be a problem.
>
> The implications of Method 1 were unclear to me. Running the ldifde 
> command
> showed that all accounts in my domain have the AdminCount attribute set to 
> 1
> (as the result of "Print Operators" membership ?).
> I don't know what the implications would be for administrative/Exchange
> service accounts to set the AdminCount to 0. Plus, I would have to remove
> "Domain Users' from "Print Operators" for this to work. I inherited this 
> set
> up and removing the group from Print Operators would take away access 
> users
> have had for a long time (and add extra admin work for me). If I removed
> Domain Users and added individual accts - or a group - to Print Operators 
> the
> AdminCount attribute would still be set to 1 and my problem would still 
> exist
> for the accounts in question.
>
> Method 3 seems to mean that I would have to - in effect - give everybody
> "Send As" access to everyone else's mailbox.
>
> Sorry about the lengthy question. As far as you can see does Method 2 seem
> to offer a solution to my problem?
>
>
>
>
> "Tim Springston [MS]" wrote:
>
>> The article they provided to you may still be the culprit. There is 
>> enhanced
>> functionality for the AdminSDHolder feature that will re-ACL based on
>> transitive group membership in protected security groups.
>>
>> Here's  an additional article or two regarding that:
>>
>> 817433 Delegated permissions are not available and inheritance is
>> automatically
>> http://support.microsoft.com/?id=817433
>>
>> 318180 AdminSDHolder Thread Affects Transitive Members of Distribution
>> Groups
>> http://support.microsoft.com/?id=318180
>>
>> Please repost if that does not help, or if you have any additional 
>> questions
>> or concerns.
>>
>> -- 
>> Tim Springston
>> Microsoft Corporation
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>>
>> "pdx" <pdx@discussions.microsoft.com> wrote in message
>> news:D1D579EF-E1A0-47EB-ADED-7EF230FEB42D@microsoft.com...
>> > When I use ADUC and give a user "Send As" rights in the ACL of the 
>> > target
>> > user's account, the ACE that I added eventually disappears. I was 
>> > pointed
>> > to
>> > KB 232199 by someone on the Exchange 2000 newsgroup but that doesn't 
>> > seem
>> > to
>> > apply and running "dsacls" came back with the proper permissions.
>> >
>> > I need the ability to give users "Send As" rights and I'm at a loss so 
>> > any
>> > ideas will be appreciated.
>> >
>> >
>>
>>
>> 


Relevant Pages

  • Re: Changes to ACL disappear
    ... Implementing Method 2 did allow inheritance on all "protected groups" but it ... AdminCount attribute from 1 to 0 for administrative accounts (which the ... >> for adminSDHolder. ...
    (microsoft.public.windows.server.security)
  • Re: Changes to ACL disappear
    ... Since “Domain Users” in my domain are members of “Print ... inheritance on the adminSDHolder container will stop the ACE entries from ... service accounts to set the AdminCount to 0. ...
    (microsoft.public.windows.server.security)
  • Re: User configuration question
    ... Those accounts are configured ... where use of the security group of these web users in the policies ... > There's only one network card in the system, ... > I've also found out that I can even remove them from the "Domain Users" ...
    (microsoft.public.windows.server.security)
  • Re: Domain account iwth restricted rights
    ... Normally the "Authenticated Users" special group has the logon locally ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ... What is the best way to lock down these accounts? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain account iwth restricted rights
    ... primary group and each was removed from Domain Users. ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ... What is the best way to lock down these accounts? ...
    (microsoft.public.windows.server.active_directory)