>I went back and corrected a few other accounts that I knew at one point has >been DA.
It's not just DAs that are subject to adminSDholder. If you want to know you got them all, query all your user and group accounts for adminCount value of 1. Then you will know just what is covered by it. Something along the lines of- ADFIND -default -f "(&(|(&(objectCategory=person)(objectClass=user))(objectCategory=group))(adminCount=1))" -dn ________________________________________ From: David Lum [david....@nwea.org] Sent: Saturday, January 07, 2012 12:09 AM To: NT System Admin Issues Subject: RE: Not even sure how to look this one up Thanks guys! With this I went back and corrected a few other accounts that I knew at one point has been DA. Dave -----Original Message----- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Friday, January 06, 2012 7:51 PM To: NT System Admin Issues Subject: RE: Not even sure how to look this one up This is necessary, but not always sufficient. You may also have to set the adminSDHolder attribute to zero: objADObject.Put "adminSDHolder", 0 Just applying inheritable permissions fixes SOME things. Others require the reset value... Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Friday, January 06, 2012 7:36 PM To: NT System Admin Issues Subject: Re: Not even sure how to look this one up On Fri, Jan 6, 2012 at 14:21, David Lum <david....@nwea.org> wrote: > As a matter of fact, yes they were. I think early on messing with > these guys is where I learned about AdminSDHolder. Looks like I get to > use ADSIEDIT right? I stole this from somewhere, and saved it in a file called ClearAdminSDHolderForOneUser.vbs. Worked just fine. Kurt ' ========= VBScript program =========== ' VBScript program to toggle "allow inheritable permissions from ' parent to propagate to this object" on the Security tab of the object. Option Explicit Const SE_DACL_PROTECTED = &H1000 Dim objADObject, objNtSecurityDescriptor, intNtSecurityDescriptorControl ' Distinguished Name of user object hard coded. Set objADObject = GetObject("LDAP://cn=Kurt Buff,ou=it,ou=users,ou=us,dc=mycompany,dc=com") ' Retreive security descriptor object for this object. Set objNtSecurityDescriptor = objADObject.Get("ntSecurityDescriptor") ' Retrieve control settings. intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control ' Toggle the bit for "allow inheritable permissions". intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor SE_DACL_PROTECTED ' Save control settings in the security descriptor object. objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl ' Save the security descriptor object. objADObject.Put "ntSecurityDescriptor", objNtSecurityDescriptor ' Update the user object. objADObject.SetInfo Wscript.Echo "Done" ' ========= VBScript program =========== ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin