Active Directory write permissions let edit users information but not administrator-users information

Question

In our Active Directory (2008 R2), I used delegation to give permission to edit user information attributes such as phone numbers, title, postal address, ... to a group of non-admin users.

Members of this group can now edit most users information, but they can't edit the info of administrators. But why? I didn't find any "Deny" clauses that could be causing that.

score 6 · Accepted Answer · answered Oct 25 '13 at 13:52

6

Probably the SDAdminHolder feature. It blocks permission inheritance for accounts that are members of the protected groups. You could confirm this by inspecting the permission on the accounts, and the permission of the account parent container.

answered Oct 25 '13 at 13:52

Greg Askew

34,339
3
52
81

1

http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx – joeqwerty Oct 25 '13 at 14:36

Active Directory write permissions let edit users information but not administrator-users information

1 Answers1