John, OK, the users you are talking about are non-default-admin-users and are not members of protected groups and never have been.
Mayba a strange question.. which groups is the domain users group a member of? #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: 'ActiveDir@mail.activedir.org ' Sent: 6/10/2005 10:10 PM Subject: Re: [ActiveDir] troubleshooting object permission inheritance Jorge -- I was following those threads which unfortunately did not clue me in. The users that have AdminCount=1 but shouldn't have never been in a protected group nor are they in a non protected group that is nested in protected group. I have even gone so far as to remove all group memberships (besides Domain Users) for a particular user, force replication, admod the attribute to 0 and still it resets to 1 after an hour. Thanks for the reply - i'd appreciate any more feedback you may have. john Jorge de Almeida Pinto wrote: > Hi, > > This was a thread that was discussed a few days ago. See the following post > from Joe where he explains some things in addition to my own post. > http://www.mail-archive.com/activedir@mail.activedir.org/msg29621.html > > HINTS: > * nested groups -> is that user a member of a non-default-protected-group > and where that non-default-protected-group IS a member of a protected group. > * were those users somehow members of protected groups in the past? If they > were and now are not the admincount will not be reset to 0 > > Is this an answer to your issue? > > #JORGE# > > -----Original Message----- > From: [EMAIL PROTECTED] > To: ActiveDir@mail.activedir.org > Sent: 6/10/2005 8:35 PM > Subject: [ActiveDir] troubleshooting object permission inheritance > > Greetings -- > > Using adfind to identify users who have the AdminCount attribute set to > 1. > > Looking at the output there are users who are expected to have that set > seeing that they are Domain Admins BUT i also see a handful of users who > > are not members of a protected group. > > Using admod to set AdminCount=0 for those users temporarily sets it > until the PDC mechanism runs which compares the ACLs and resets it. > > If the user isn't in a protected group then what is causing this > behavior? And i guess once i know that i can set AdminCount=0 for them, > > permanently? > > tia, > > john > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
