ACL Inheritance on AD objects?

Discussion:

(too old to reply)

Gerry Hickman

2007-07-25 15:31:05 UTC

Hi,

We have Win2k3 DCs and a Win2k workstation to manage AD (using MMC). I've
set MMC to "advanced view" so that I can use the "security" tab to set
permisions on the AD objects (e.g. an OU).

However, when I set an ACL on an OU it does NOT inherit down to child
objects - this is unexpected.

There's an article here

http://support.microsoft.com/kb/178170

which seems to confirm the problem I'm seeing. I can FIX this by using the
Advanced button of the edit security dialog, add the ACL, then choose "this
object and all sub-objects", but surely the default behavior should be
inheritance by default??

--
Gerry Hickman - (London UK)

Jorge de Almeida Pinto [MVP - DS]

2007-07-25 21:15:03 UTC

Permalink

see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Post by Gerry Hickman
Hi,
We have Win2k3 DCs and a Win2k workstation to manage AD (using MMC). I've
set MMC to "advanced view" so that I can use the "security" tab to set
permisions on the AD objects (e.g. an OU).
However, when I set an ACL on an OU it does NOT inherit down to child
objects - this is unexpected.
There's an article here
http://support.microsoft.com/kb/178170
which seems to confirm the problem I'm seeing. I can FIX this by using the
Advanced button of the edit security dialog, add the ACL, then choose "this
object and all sub-objects", but surely the default behavior should be
inheritance by default??
--
Gerry Hickman - (London UK)

Gerry Hickman

2007-07-25 22:23:22 UTC

Permalink

Hi Jorge,

Post by Jorge de Almeida Pinto [MVP - DS]
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

This is a nightmare article, We're running Win2k3 SP2, what's with this
AdminCount business? I didn't even know about it, I'm not using the
Wizard, I'm trying to do the delegation manually, do I need to set
AdminCount?

Thing is, I'm not getting inheritance with ANY group or user, I'm not
trying to use any "protected" group, I'm testing with domain users and
domain groups that I've created myself, NOT built-in.

--
Gerry Hickman (London UK)

Gerry Hickman

2007-07-26 08:57:31 UTC

Permalink

Hi,

After reading more on this, I think there are two different issues.

1. Jorge's blog is about the "protected" accounts having their ACL
overwritten once per hour, and those accounts also end up with their
inheritance flag disabled, this means those accounts won't inherit ACLs set
by other users even if they end up in the wrong OU. In my view this is a
design flaw, but that's another story...

2. My problem is not that above. My problem is that when I log in as a
member of the 'Domain Admins' group, right click an OU, set a permission, it
DOES NOT inherit to child objects unless I use the Advanced Tab and FORCE
inheritance.

#1 is about the user account not inheriting from above, #2 is about a member
of Domain Admins not being able to apply an ACL and have it inherit DOWN to
child objects. Two different things as I see it.

I'm trying to solve (or understand) #2
--
Gerry Hickman - (London UK)

Post by Gerry Hickman
Hi Jorge,

Post by Jorge de Almeida Pinto [MVP - DS]
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

This is a nightmare article, We're running Win2k3 SP2, what's with this
AdminCount business? I didn't even know about it, I'm not using the
Wizard, I'm trying to do the delegation manually, do I need to set
AdminCount?
Thing is, I'm not getting inheritance with ANY group or user, I'm not
trying to use any "protected" group, I'm testing with domain users and
domain groups that I've created myself, NOT built-in.
--
Gerry Hickman (London UK)