Jorge, thanks for the mail back i am duly noted on the re-enabling of the inheritance
if i may develop this thread a little further .. is there any specific logging of the activity of the adminsdholder process or do we have to fall back to the directory auditing ?? presumably as i understand, there would be a number of elements to this; i. enumeration of objects that are members of protected groups (is this constrained to user objects ??) ii. change of admincount attribute iii. change of inheritance iv. reset of permissions on objects G > either explicit or inherited permissions will be replaced.... by the > permissions > defined on the adminsdholder object.... > > so if re-applying inheritance is not enough... you would need to define > explicit > defined permissions... > > for the default perms you can use the DEFAULT button and all custom added > permissions would need to be defined again > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : <see sender address> > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Graham Turner > Sent: Tue 2007-01-16 17:37 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] adminsdholder > > > > Jorge, thanks for your reply post > > i certainly favour the former option on account of the other being a > forest-wide > configuration. > > on this basis if we have removed the user from protected groups then doesn't > setting > do the job ? > > the permission we are 'losing' is not one that is set at parent OU level and > set > explicitly on the object so inheritance of the permission is not > > OR is there something else that needs to be re-enabled by changing the > inhertiance > on the user object ?? > > GT > > > 1. removed user from all protected groups > > >> setting the attribute to 0 only will not help.... >> >> to stop the adminsdholder from managing a certain group/user you either: >> * remove it from a protected group, check inheritance and reset admincount >> to <not >> set> >> * configure dsheuristics (forest-wide config) as mentioned in >> http://support.microsoft.com/?id=817433 for some default protected groups >> (not >> recommended as you should not use the default admin groups, but instead >> delegate >> stuff) >> >> also see: >> http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx >> >> Met vriendelijke groeten / Kind regards, >> Ing. Jorge de Almeida Pinto >> Senior Infrastructure Consultant >> MVP Windows Server - Directory Services >> >> LogicaCMG Nederland B.V. (BU RTINC Eindhoven) >> ( Tel : +31-(0)40-29.57.777 >> ( Mobile : +31-(0)6-26.26.62.80 >> * E-mail : <see sender address> >> >> ________________________________ >> >> From: [EMAIL PROTECTED] on behalf of Graham Turner >> Sent: Tue 2007-01-16 15:37 >> To: activedir@mail.activedir.org >> Subject: [ActiveDir] adminsdholder >> >> >> >> Dear all, i think we experieincing issues re not being able to reset >> permissions >> on >> an object that was previously member of protected groups >> >> i have read that the issue is around the reset of the value of 'admincount' >> attribute. >> >> as i learn this gets set to 1 when it is becomes a member of protected >> groups, but >> ju >> >> i wanted to confirm that is a 'supported' operation to merely reset this >> data to 0 >> to undo the effect of adminssdholder ?? >> >> or whether there are other changes that need to be considered. ? >> >> G >> >> >> >> >> >> >> >> >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ma/default.aspx >> >> >> >> >> This e-mail and any attachment is for authorised use by the intended >> recipient(s) >> only. It may contain proprietary material, confidential information and/or be >> subject to legal privilege. It should not be copied, disclosed to, retained >> or >> used >> by, any other party. If you are not an intended recipient then please >> promptly >> delete this e-mail and any attachment and all copies and inform the sender. >> Thank >> you. >> >> > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
