AdminSDHolder thread - How can I block??

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Is there any to block the update or refresh generated by the
AdminSDHolder thread from being applied to an individual user in one of
the protected groups? For example, a user who's a domain admin (User1)
wishes to grant another user (User2) "send as" permissions on his
mailbox. Every hour or so User2 "disappears" from the security tab of
User1 in effective removed from the ACL of User1. The options seem to
be to add "send as" permissions for User2 to the AdminSDHolder
container (I've tried this on my testbed but haven't quite got it to
work even though the user permissions did "trickle down" to the groups
and users) or remove the user from the domain admins groups and reset
the admin count attribute. What I really want to do is just "block"
changes for this one particular user, without affecting how
AdminSDHolder is being applied to other groups and users. Possible or
not? TIA

-Jim

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You don't want to do that. But, if you really must, then this should help:

http://support.microsoft.com/?id=817433

--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
<jxxrzt@yahoo.com> wrote in message
news:1126744050.464443.248420@g44g2000cwa.googlegroups.com...
> Is there any to block the update or refresh generated by the
> AdminSDHolder thread from being applied to an individual user in one of
> the protected groups? For example, a user who's a domain admin (User1)
> wishes to grant another user (User2) "send as" permissions on his
> mailbox. Every hour or so User2 "disappears" from the security tab of
> User1 in effective removed from the ACL of User1. The options seem to
> be to add "send as" permissions for User2 to the AdminSDHolder
> container (I've tried this on my testbed but haven't quite got it to
> work even though the user permissions did "trickle down" to the groups
> and users) or remove the user from the domain admins groups and reset
> the admin count attribute. What I really want to do is just "block"
> changes for this one particular user, without affecting how
> AdminSDHolder is being applied to other groups and users. Possible or
> not? TIA
>
> -Jim
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You can't do it.

In addition, it is not very bright to mailbox enable administrator IDs. Admins
should have an ID for normal use and an ID for admin use. The issue is viruses.
You do not want a user running under a domain admin ID or any admin ID really
opening a message that just goes off and executes stuff.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


jxxrzt@yahoo.com wrote:
> Is there any to block the update or refresh generated by the
> AdminSDHolder thread from being applied to an individual user in one of
> the protected groups? For example, a user who's a domain admin (User1)
> wishes to grant another user (User2) "send as" permissions on his
> mailbox. Every hour or so User2 "disappears" from the security tab of
> User1 in effective removed from the ACL of User1. The options seem to
> be to add "send as" permissions for User2 to the AdminSDHolder
> container (I've tried this on my testbed but haven't quite got it to
> work even though the user permissions did "trickle down" to the groups
> and users) or remove the user from the domain admins groups and reset
> the admin count attribute. What I really want to do is just "block"
> changes for this one particular user, without affecting how
> AdminSDHolder is being applied to other groups and users. Possible or
> not? TIA
>
> -Jim
>