User account security inheritance being disabled automatically

John Palmer 31 Reputation points
2020-08-31T18:42:23.277+00:00

Hi everyone. Hope I am asking in the right place.

I have Exchange 2019 on a 2012R2 domain. I was experiencing issues connecting remotely to Exchange. According to multiple articles, the solution was to enable permissions inheritance on the AD user account (ADUC -> Open user -> Security -> Advanced -> Enable Inheritance).

This works fine, but it appears that this setting is being reverted regularly and frequently. As in every few hours.

Something in Active Directory really doesn't like permissions inheritance, but it appears to be required for Exchange to run.

Thanks in advance for any thoughts.

.jp.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,614 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,084 questions
No comments
1 vote

Accepted answer
  1. Andy David - MVP 109.5K Reputation points Microsoft MVP
    2020-08-31T18:53:55.867+00:00

    Hi there!
    What you are seeing is expected if your account is a member of any elevated groups. The recommendation is to not add any mailbox enabled account to an elevated group and permission inheritance wont be disabled.

    https://petri.com/active-directory-security-understanding-adminsdholder-object

    https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

    No comments

2 additional answers

Sort by: Most helpful
  1. John Palmer 31 Reputation points
    2020-09-01T14:44:50.057+00:00

    Thanks guys. This is exactly the issue. The user in question is a Domain Admin, and needs that privilege.

    My next move will be a discussion between the user and other stakeholders. Probably demote this user and give him another for Domain Admin work.

    Thanks again.

    .jp.

    No comments

  2. Hannah Xiong 6,161 Reputation points
    2020-09-01T03:41:38.567+00:00

    Hello,

    Thank you so much for posting here.

    Agree with Andy David, we could kindly have a check whether this user account is protected user, which is a member of the protected group.

    For the users and groups that are members of the protected groups:

    • Security inheritance is disabled
    • The ACL on the user/group is replaced with the ACL from the AdminSDHolder object in the System container in AD (a smaller, much more restrictive ACL)
    • The adminCount attribute on the user/group is set to 1.

    For example:

    21872-11.png

    AdminSDHolder permissions apply to security principals that belong to protected groups. The Security Descriptor Propagation (SDPROP) process runs every hour on the domain controller holding the PDC emulator FSMO role. It is this process that sets the adminCount attribute to 1. The main function of SDPROP is to protect highly-privileged Active Directory accounts, ensuring that they can’t be deleted or have rights modified, accidentally or intentionally, by users or processes with less privilege.

    If we reenable inheritance on the affected users and clear the adminCount attribute and the group membership that triggered those items being changed in the first place is still there, then SDPROP will revert our changes within the hour.  So before cleaning up the permissions on these accounts, we need to ensure they are not affected by AdminSDHolder.

    Here we would like to share more information with you:
    https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    No comments