Problem:Today, I have faced access denied (The user has insufficient access rights) problem when modifying a user object by using credentials of a non admin user. By default, non-admin users won't have the privilege to modify Active Directory object, I have delegated modify permissions for the non-admin user in one OU so that non-admin users can modify user objects who are under that particular OU. The modify privilege was worked well for some users but not working for some of users. After I have analyzed some time found the reason for this permission inheritance problem is the delegated privilege for the non-admin user is not inherited to the users who are under the group "Domain Admins".
Cause:When permissions are delegated to non-admin users, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container; therefore, these permissions are not applied to members of protected groups. So even though permissions are assigned higher up in the tree, they may not be implemented on users or objects that are members of built-in groups.
Protected administrative groups in Active Directory:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Cert Publishers
- Domain Controllers
- Read-Only Domain Controllers
Solution:If you have a need to delegate permissions to a non-admin user or group to administer users in an OU, and in that OU reside other protected users. To grant permissions to protected group members, you have to delegate the permissions to an existing admin-type person who are member of protected group or you need to add the non-admin user into the protected group.
For more information about this permission inheritance issue please refer the following Microsoft articles:
Five common questions about AdminSdHolder and SDProp: http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx
Article 306398 - AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts: http://support.microsoft.com/default.aspx?scid=kb;en-us;306398
Article 232199 - Description and Update of the Active Directory AdminSDHolder Object: http://support.microsoft.com/?kbid=232199
Article 817433 - Delegated permissions are not available and inheritance is automatically disabled: http://support.microsoft.com/default.aspx?scid=kb;en-us;817433