Active Directory Disapparing Permissions

posted 14 Jun 2011, 11:19 by Tristan Self
A odd problem with Active Directory that I came across this week; a user object keep on "losing" its permissions.

When adding the "Send As" permissions for Exchange on a AD user object all seemed to go okay, then about 20 minutes or so later the permission would just vanish!

After much rumaging around I found this:
"It turns out that if the user object is a member, directly or indirectly, of a “protected group” (such as Server Operators, Backup Operators, or Administrators), then Active Directory automatically removes any inherited permissions, resets those permissions to the default, and turns off inheritance for those objects. The idea is to prevent possible elevation of privileges. "

Hmm so I checked the user and for some reason someone had added the "Domain users" group to the "Administrators" group, so as this is a protected group then the permissions keep on being reset.

It turns out I could force this permissions to disappear by forcing AD replication, this appears to reevaluate the permissions and remove them more quickly.

FIX: Remove the user from the protected group or you can play around with the adminSDHolder object, i know which way i chose!