Archived from groups: microsoft.public.win2000.active_directory (
More info?)
One helpdesk person can see this, another cannot. They have same permissions,
it seems to have something to do with PC.
"ptwilliams" wrote:
> This is because these accounts are protected accounts. That is, they are
> administrators, account operators, etc.
>
> There is an object in the directory called the adminSDHolder object. The
> PDCe compares and resets the permissions defined on this object against all
> users who are members of protected groups every sixty minutes. Furthermore,
> by default these groups are not set to inherit. Which is why they are still
> grayed out even though you've granted write permissions.
>
> There are a number of ways round this:
>
> Modify the permissions on the adminSDHolder object
> Remove these users from the protected groups.
> Implement a hotfix from MS that changes this behaviour a little bit.
>
> The reason for this (it's by design) is so that delegated users cannot
> modify the permissions of administrative user objects.
>
> If you search google or MS support for adminSDHolder you should find a
> couple of helpful KBs.
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
>
> "KJ" wrote:
>
> > Users who are delegated permissions to OU might have problems with a couple
> > of grayed out accounts in certain OU's. Others do not. What would cause this?
> > Rights are set per group that is delegated permissions.