This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 7.000000000000001%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Hi All,
We have an issue OU based delegation reverting again & again for some of the users .While investigation we have found it was happening just because of user was member of high security group that,s why inheritance reverting .So further troubleshooting we have reset the attribute admincount from 1 to 0 .Its works for few hours & again change to 1.
would anyone help to know the what would be the best way to apply the inheritance on member of high security group
Regards
Hi
Have a look at this post which provides details on how to reset the inheritance of an object that has been orphend by the sdprop process.
Gary.
HI
The requirement is to enable the inheritance of those users which is the part of high security group
I Have the info about the users but inheritance is not being applied & i can not exclude the user from the group membership
reset admincount is not working for me its reverting again & again
is there ant workaround to apply inheritance for users which is having the part of high security group
The shared article does not help to get the info as i needed
Regards
Hi,
If the user is still a member of the protected group, then the SDPropAdmin container permissions will be applied to the account, and this will remove the inheritance.
If you want inheritance to be enabled and not be removed again by the SDProp process, you have to remove the account from the protected group, and clear the admin count attribute. There is no way to prevent this behaviour.
Gary.
Thanks for your response
It means there is no other workaround for applying the Inheritance for those users who is having the membership of high security group ?
What about if admin ids required the delegation how we will manage this because all the admin id,s would be the member of high security group i.e domain admin, enterprise admin,schema,administartor etc..
is that mean we can not apply inheritance on those users?
Regards
Hi there,
Correct there is no workaround, if a user is a member of one of the protected groups the SDPropAdmin permissions will continue to be applied.
This process is designed to protect these users as they have elevated rights to manage and change the environment. As these users are seen as admins, typcially they don't require delegation applied to them and their peers manage the accounts. If your system management is based on the principle of least privileges and segration of roles, these accounts would be dedicated admin accounts, another reason why you wouldn't require delegation applied to them.
If you do need to apply elevated rights to a user and not use one of the protected groups, you could apply specific delegation rights to the objects you want them to manage using the AD delegation wizard.
Gary.