This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I created a unit organisation and set delegation to give to some users the permission to edit all users in this OU.
We have a problem with some admin accounts. the delegation doesn't work.
Hi,
Check if the inheritance option is enabled on the ACLs of admin accounts.
Please don't forget to mark this reply as answer if it help you to fix your issue
Hi,
It's disabled. I tried to enabled it but when I checked later it's disabled.
Hi,
It may caused by the Security Descriptor Propagator (SDPROP) if the user was in the protected group.
This background process runs, by default, every sixty (60) minutes on the Domain Controller holding PDC Emulator FSMO role in an Active Directory domain.
Even if you delegate (change) permissions on Domain Admins group, Active Directory will overwrite them by setting the ones used on AdminSDHolder container.
Following link for your reference:
https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
Best Regards,
Thank you for your help.
Yes , I have removed impacted account from protected group and the problem is fixed now.
Maybe you can verify the permissions.
https://social.technet.microsoft.com/wiki/contents/articles/6477.active-directory-how-to-view-or-delete-delegated-permissions.aspx
--please don't forget to Accept as answer if the reply is helpful--
Already checked . but the permission set on OU is not the same as impacted user account.
You'll need to find the conflict.
https://www.rebeladmin.com/2018/01/deal-group-policy-conflicts/
--please don't forget to Accept as answer if the reply is helpful--
It seems that this account is protected by SDprop process. This process is launched by default by the PDC to protect the permissions on protected users and group. Check the value of Admincount to know if this account is protected or not:
If the AdminCount value is 1 , so the account is protected by SDprop. To get more details you can read this article:
22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
Please don't forget to mark this reply as answer
Thank you Thameur.
Some users added by mistake to domain admins group. I removed them and the issue is fixed.