This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 96%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM4%3C/text%3E%3C/svg%3E)
Hi,
I created a unit organisation and set delegation to give to some users the permission to edit all users in this OU.
We have a problem with some admin accounts. the delegation doesn't work.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
Check if the inheritance option is enabled on the ACLs of admin accounts.
Please don't forget to mark this reply as answer if it help you to fix your issue
Hi,
It's disabled. I tried to enabled it but when I checked later it's disabled.
It seems that this account is protected by SDprop process. This process is launched by default by the PDC to protect the permissions on protected users and group. Check the value of Admincount to know if this account is protected or not:
get-aduser -identity userSamaccountName -properties AdminCount
If the AdminCount value is 1 , so the account is protected by SDprop. To get more details you can read this article:
22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
Please don't forget to mark this reply as answer
Thank you Thameur.
Some users added by mistake to domain admins group. I removed them and the issue is fixed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
It may caused by the Security Descriptor Propagator (SDPROP) if the user was in the protected group.
This background process runs, by default, every sixty (60) minutes on the Domain Controller holding PDC Emulator FSMO role in an Active Directory domain.
Even if you delegate (change) permissions on Domain Admins group, Active Directory will overwrite them by setting the ones used on AdminSDHolder container.
Following link for your reference:
https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
Best Regards,
Thank you for your help.
Yes , I have removed impacted account from protected group and the problem is fixed now.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Maybe you can verify the permissions.
https://social.technet.microsoft.com/wiki/contents/articles/6477.active-directory-how-to-view-or-delete-delegated-permissions.aspx
--please don't forget to Accept as answer if the reply is helpful--
Hi @Anonymous
Already checked . but the permission set on OU is not the same as impacted user account.
You'll need to find the conflict.
https://www.rebeladmin.com/2018/01/deal-group-policy-conflicts/
--please don't forget to Accept as answer if the reply is helpful--