In my Small Business Server 2003 environment, I would like to be able to have users manage their own delegate permissions for their Exchange mailboxes. By default, the Outlook delegate feature will not work unless I go to the user object in Active Directory and grant Allow on "Write Personal Information" to SELF. This will work temporarily, but something seems to reset this value shortly afterword. What would cause this automatic reset?
Asked
Active
Viewed 897 times
1 Answers
2
If the user in question is or was a member of an administrative group such as Domain Admins, Account Operators, Backup Operators, Print Operators, etc, the AdminSDHolder object protects members of these groups by resetting their permission to the default every 5 minutes and also breaking permission inheritance on them.
You can check this by seeing if the AdminCount attribute is set to anything other than 0. If it is set to anything other than 0, then check their group membership. If they are no longer a member of one of those protected groups, you can manually set AdminCount back to 0 and allow permissions to inherit to their object. If they are still members of this, there is nothing you can do short of modifying the AdminSDHolder object, which would be cause for opening another question.
MDMarra
- 100,183
- 32
- 195
- 326
-
Thanks for solving this mystery. I found a script attached to http://support.microsoft.com/kb/817433/ that I was able to use to clear the AdminCount, after removing the user from the "Domain Power Users" group. – Holistic Developer Jul 22 '13 at 00:55