Thanks guys! With this I went back and corrected a few other accounts that I knew at one point has been DA.
Dave -----Original Message----- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, January 06, 2012 7:51 PM To: NT System Admin Issues Subject: RE: Not even sure how to look this one up This is necessary, but not always sufficient. You may also have to set the adminSDHolder attribute to zero: objADObject.Put "adminSDHolder", 0 Just applying inheritable permissions fixes SOME things. Others require the reset value... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, January 06, 2012 7:36 PM To: NT System Admin Issues Subject: Re: Not even sure how to look this one up On Fri, Jan 6, 2012 at 14:21, David Lum <david....@nwea.org> wrote: > As a matter of fact, yes they were. I think early on messing with > these guys is where I learned about AdminSDHolder. Looks like I get to > use ADSIEDIT right? I stole this from somewhere, and saved it in a file called ClearAdminSDHolderForOneUser.vbs. Worked just fine. Kurt ' ========= VBScript program =========== ' VBScript program to toggle "allow inheritable permissions from ' parent to propagate to this object" on the Security tab of the object. Option Explicit Const SE_DACL_PROTECTED = &H1000 Dim objADObject, objNtSecurityDescriptor, intNtSecurityDescriptorControl ' Distinguished Name of user object hard coded. Set objADObject = GetObject("LDAP://cn=Kurt Buff,ou=it,ou=users,ou=us,dc=mycompany,dc=com") ' Retreive security descriptor object for this object. Set objNtSecurityDescriptor = objADObject.Get("ntSecurityDescriptor") ' Retrieve control settings. intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control ' Toggle the bit for "allow inheritable permissions". intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor SE_DACL_PROTECTED ' Save control settings in the security descriptor object. objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl ' Save the security descriptor object. objADObject.Put "ntSecurityDescriptor", objNtSecurityDescriptor ' Update the user object. objADObject.SetInfo Wscript.Echo "Done" ' ========= VBScript program =========== ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin