I've been having an issue for some time where certain users and groups were having thier AD inheritance flag cleared and an arbitary set of permissions made.
It turns out that this is by design. Because the users belonged to a group, which belonged to Print Operators, thier permissions were being set to match the System\AdminSDHolder object. The PDC emulator runs an hourly process which copies the permissions from AdminSDHolder to these protected objects.
The following article describes how to remove Print Operators from this protected list of groups. The article talks about a hotfix, but this is only relevent for Windows 2003 SP1. Windows 2003 SP2 already has this change.
You can find the article here:
http://support.microsoft.com/kb/817433/en-us
No comments:
Post a Comment