Account Operators Group
in [Active Directory]
|
From: Richard Mueller [MVP] on 29 May 2008 14:04 I'm glad this accounts for what you see. Yes, changing membership in the Printer Operators group will make the ACE get added or removed as appropriate, but there is a time delay. A system process does this in the background. You may need to wait 15 minutes or so. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "mpatraw_EPIC_Imaging" <mpatrawEPICImaging(a)discussions.microsoft.com> wrote in message news:089E3787-753B-410C-A15E-0796D67B560C(a)microsoft.com... > Richard, > > Thanks for the response. > I read this article, but I guess I didn't check every group. I just > checked > and all of the users that are not able to be administered by Account > Operators are part of the Print Operators group. I'm not sure how that > happened. I guess it's possible that a new user being created by copying > an > existing user, some of those copied users had print operators and were > just > not removed after being created. > > Question. If I remove those users from Print Operators, should they they > regain the security ACE for Account Operators? I will test a few.. > > "Richard Mueller [MVP]" wrote: > >> Does this article explain what you see: >> >> http://support.microsoft.com/kb/245174 >> >> Per the article Account Operators cannot manage users that are members of >> the following restricted groups: >> >> Account Operators >> Administrators >> Backup Operators >> Print Operators >> Server Operators >> Domain Admins >> >> If you have users that are not members of any of these groups, even due >> to >> group nesting, and lack the ACE, then you have a problem. However, any >> program to fix it must check each user for membership in any of these >> groups, or any other groups that are members of these groups. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >>
From: Herb Martin on 29 May 2008 14:49 "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> wrote in message news:uQApoZbwIHA.3384(a)TK2MSFTNGP03.phx.gbl... > I'm glad this accounts for what you see. Yes, changing membership in the > Printer Operators group will make the ACE get added or removed as > appropriate, but there is a time delay. A system process does this in the > background. You may need to wait 15 minutes or so. Amazing (since) I didn't know that <grin>
From: Richard Mueller [MVP] on 29 May 2008 15:28 "Herb Martin" <news(a)learnquick.com> wrote in message news:OEZoxybwIHA.3680(a)TK2MSFTNGP05.phx.gbl... > > "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> wrote in > message news:uQApoZbwIHA.3384(a)TK2MSFTNGP03.phx.gbl... >> I'm glad this accounts for what you see. Yes, changing membership in the >> Printer Operators group will make the ACE get added or removed as >> appropriate, but there is a time delay. A system process does this in the >> background. You may need to wait 15 minutes or so. > > Amazing (since) I didn't know that <grin> > Well, maybe I'm not completely correct. I tested by adding a user to the Print Operators group, saw that the Account Operators ACE was still there, waited about 15 minutes, and saw that the ACE was gone. I then removed the user from the Print Operators group, saw that the ACE was still gone, and assumed I would have to wait a similar period. I replied to the post. Since then I have waited over an hour and the ACE has still not been restored to the user account. I need to investigate some more, because I'd rather not try to correct this myself unless I have to. Maybe the background process runs less frequently than I thought. Richard
From: Herb Martin on 29 May 2008 16:05 "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> wrote in message news:uT9CeIcwIHA.3860(a)TK2MSFTNGP06.phx.gbl... > > "Herb Martin" <news(a)learnquick.com> wrote in message > news:OEZoxybwIHA.3680(a)TK2MSFTNGP05.phx.gbl... >> >> "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> wrote in >> message news:uQApoZbwIHA.3384(a)TK2MSFTNGP03.phx.gbl... >>> I'm glad this accounts for what you see. Yes, changing membership in the >>> Printer Operators group will make the ACE get added or removed as >>> appropriate, but there is a time delay. A system process does this in >>> the background. You may need to wait 15 minutes or so. >> >> Amazing (since) I didn't know that <grin> >> > > Well, maybe I'm not completely correct. I tested by adding a user to the > Print Operators group, saw that the Account Operators ACE was still there, > waited about 15 minutes, and saw that the ACE was gone. I then removed the > user from the Print Operators group, saw that the ACE was still gone, and > assumed I would have to wait a similar period. I replied to the post. > Since then I have waited over an hour and the ACE has still not been > restored to the user account. I need to investigate some more, because I'd > rather not try to correct this myself unless I have to. Maybe the > background process runs less frequently than I thought. My guess is it will (might?) not do that in this direction.....
From: Wayne Tilton on 29 May 2008 18:55 "Herb Martin" <news(a)learnquick.com> wrote in news:efE0fdcwIHA.4736(a)TK2MSFTNGP04.phx.gbl: > > "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> wrote > in message news:uT9CeIcwIHA.3860(a)TK2MSFTNGP06.phx.gbl... >> >> "Herb Martin" <news(a)learnquick.com> wrote in message >> news:OEZoxybwIHA.3680(a)TK2MSFTNGP05.phx.gbl... >>> >>> "Richard Mueller [MVP]" <rlmueller-nospam(a)ameritech.nospam.net> >>> wrote in message news:uQApoZbwIHA.3384(a)TK2MSFTNGP03.phx.gbl... >>>> I'm glad this accounts for what you see. Yes, changing membership >>>> in the Printer Operators group will make the ACE get added or >>>> removed as appropriate, but there is a time delay. A system process >>>> does this in the background. You may need to wait 15 minutes or so. >>> >>> Amazing (since) I didn't know that <grin> >>> >> >> Well, maybe I'm not completely correct. I tested by adding a user to >> the Print Operators group, saw that the Account Operators ACE was >> still there, waited about 15 minutes, and saw that the ACE was gone. >> I then removed the user from the Print Operators group, saw that the >> ACE was still gone, and assumed I would have to wait a similar >> period. I replied to the post. Since then I have waited over an hour >> and the ACE has still not been restored to the user account. I need >> to investigate some more, because I'd rather not try to correct this >> myself unless I have to. Maybe the background process runs less >> frequently than I thought. > > My guess is it will (might?) not do that in this direction..... > You need to re-enable inheritance on the individual objects, either via the GUI or using some tool like DSACLS. HTH, Wayne Tilton
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: windows 2008 machine joining problem Next: cannot join WinXP to Windows 2000 domain |