Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Child object not inheriting parents permissions.

Status
Not open for further replies.
ChuckG

ChuckG

MIS
Feb 28, 2001
211
US
I've got a issue that's being a pain, and was wondering if anyone has an idea on how to correct.

I've got an OU (Pending Deletion) that user objects get put into when the user is terminated.
The account (historiclly) has been left in there indefinatly in case the user comes back to work for the company.

I've built a script to go through and start cleaning up this OU, but I keep running into a problem.

Several user objects are saying I don't have rights to delete them. The security on the OU says Domain Admins has Full Control, but if I look at the security on the user object, it's not inheriting permissions from the parent, so domain admins doesn't have full control.

Question is, is there a way to go through and force all user objects within this OU to inherit security from the parent OU?

I can go to each object and reset it manually, and then I can delete the accounts. But that's a pain, this site has over 2000 pending deleted user objects.

Thanks
ChuckG

ChuckG
-=-=-=-
Midnight Club BBS
telnet midnight-club.org
 
Sort by date Sort by votes
I would first check the adminCount attribute on the objects that are being problematic. If the value is 1, then the object at one point or another was given access to a protected group in AD (such as Domain Admins). The permissions on these accounts will be reset approximately every 60 minutes by the domain, unless the object's membership in the protected group is removed and the adminCount attribute is set to 0 or nothing.

The second thing I would look at is the rights under which the script is running. Is it Domain Admins or something else? Any account below Domain Admins will have problems doing anything to objects with the above flag set.

An easy way to do this would be to run the following command on a DC:
csvde -f adminCountUsers.csv -r "(&(objectClass=user)(objectCategory=person)(adminCount=1))" -l "displayName,sAMAccountName,canonicalName"

This command will provide you with a simple report that you can look at and manipulate in Excel.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
324
microsGuy16
microsGuy16
dpellegrini
  • Locked
  • Question
Website will load using hostname but not IP address
Replies
3
Views
655
mangentle
mangentle
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
189
technome
technome
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
148
on3mansh0w
on3mansh0w
disturbedone
  • Locked
  • Question
Edge Chromium protected media not working
Replies
1
Views
135
disturbedone
disturbedone

Part and Inventory Search

Sponsor

Back
Top