have you also changed the inheritance setting of those accounts? #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/10/2005 10:54 PM Subject: Re: [ActiveDir] troubleshooting object permission inheritance
not a strange question ... i looked into that when i first started the troubleshooting process .... Domain Users is a member of the Builtin Users group which is not a protected group in my environment. Just so i have it straight: If a user is a member of a protected group it's AdminCount attribute will be 1. If said user is removed from that group it's AdminCount attribute will remain 1 until it is changed. Once it is removed from the protected group and the attribute changed to 0 it should remain at 0 - yes? Back to my problem - user is not a member of a protected group and i can't change the AdminCount to 0 w/o it being reset to 1. thanks so far, john Jorge de Almeida Pinto wrote: > John, > > OK, the users you are talking about are non-default-admin-users and are not > members of protected groups and never have been. > > Mayba a strange question.. which groups is the domain users group a member > of? > > #JORGE# > > -----Original Message----- > From: [EMAIL PROTECTED] > To: 'ActiveDir@mail.activedir.org ' > Sent: 6/10/2005 10:10 PM > Subject: Re: [ActiveDir] troubleshooting object permission inheritance > > Jorge -- > > I was following those threads which unfortunately did not clue me in. > The users that have AdminCount=1 but shouldn't have never been in a > protected group nor are they in a non protected group that is nested in > protected group. > > I have even gone so far as to remove all group memberships (besides > Domain Users) for a particular user, force replication, admod the > attribute to 0 and still it resets to 1 after an hour. > > Thanks for the reply - i'd appreciate any more feedback you may have. > > john > > Jorge de Almeida Pinto wrote: > >>Hi, >> >>This was a thread that was discussed a few days ago. See the following > > post > >>from Joe where he explains some things in addition to my own post. >>http://www.mail-archive.com/activedir@mail.activedir.org/msg29621.html >> >>HINTS: >>* nested groups -> is that user a member of a > > non-default-protected-group > >>and where that non-default-protected-group IS a member of a protected > > group. > >>* were those users somehow members of protected groups in the past? If > > they > >>were and now are not the admincount will not be reset to 0 >> >>Is this an answer to your issue? >> >>#JORGE# >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>To: ActiveDir@mail.activedir.org >>Sent: 6/10/2005 8:35 PM >>Subject: [ActiveDir] troubleshooting object permission inheritance >> >>Greetings -- >> >>Using adfind to identify users who have the AdminCount attribute set > > to > >>1. >> >>Looking at the output there are users who are expected to have that > > set > >>seeing that they are Domain Admins BUT i also see a handful of users > > who > >>are not members of a protected group. >> >>Using admod to set AdminCount=0 for those users temporarily sets it >>until the PDC mechanism runs which compares the ACLs and resets it. >> >>If the user isn't in a protected group then what is causing this >>behavior? And i guess once i know that i can set AdminCount=0 for > > them, > >>permanently? >> >>tia, >> >>john >>List info : http://www.activedir.org/List.aspx >>List FAQ : http://www.activedir.org/ListFAQ.aspx >>List archive: >>http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> >>This e-mail and any attachment is for authorised use by the intended > > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
