question

brajkishorSingh-1326 avatar image
0 Votes"
brajkishorSingh-1326 asked JamesTran-MSFT edited

Delegation Inheritance reverting again & again in Active Directory

Hi All,
We have an issue OU based delegation reverting again & again for some of the users .While investigation we have found it was happening just because of user was member of high security group that,s why inheritance reverting .So further troubleshooting we have reset the attribute admincount from 1 to 0 .Its works for few hours & again change to 1.

would anyone help to know the what would be the best way to apply the inheritance on member of high security group

Regards



windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GaryReynolds avatar image
0 Votes"
GaryReynolds answered GaryReynolds commented

Hi

Have a look at this post which provides details on how to reset the inheritance of an object that has been orphend by the sdprop process.

Gary.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI
The requirement is to enable the inheritance of those users which is the part of high security group
I Have the info about the users but inheritance is not being applied & i can not exclude the user from the group membership

reset admincount is not working for me its reverting again & again

is there ant workaround to apply inheritance for users which is having the part of high security group

The shared article does not help to get the info as i needed
Regards

0 Votes 0 ·

Hi,

If the user is still a member of the protected group, then the SDPropAdmin container permissions will be applied to the account, and this will remove the inheritance.

If you want inheritance to be enabled and not be removed again by the SDProp process, you have to remove the account from the protected group, and clear the admin count attribute. There is no way to prevent this behaviour.

Gary.

0 Votes 0 ·

Thanks for your response

It means there is no other workaround for applying the Inheritance for those users who is having the membership of high security group ?

What about if admin ids required the delegation how we will manage this because all the admin id,s would be the member of high security group i.e domain admin, enterprise admin,schema,administartor etc..

is that mean we can not apply inheritance on those users?

Regards

0 Votes 0 ·
Show more comments