Monday, October 02, 2006

Inheritable permissions are being cleared for some users

You know the expression "You learn something new everyday"? Well, if you are in IT, the expression is something like "You learn 1,000 new things everyday". That is what I like and hate about IT. There is always something new to learn. But, there is always something new to learn. Well, the gray hair makes me look dignified. :-)

One of my customers recently applied the Exchange 2003 SP2 hotfix that changes the way "Send As" permissions are delegated. See KB 912918: "Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003" for more information. After the fix was applied, they delegated their Blackberry server's service account the necessary permissions to the Active Directory.

However, they found that some of the users kept breaking. Upon further investigation, they found that for some users, the "Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects. Include These With Entries Explicitly Defined Here." checkbox was being cleared. It took them a while, but they figured out it was ONLY the members of the Domain Admins group.

My first question to them was "Why are accounts that are members of Domain Admins getting mailboxes in the first place, much less carrying around Blackberries??!!" Answer: They don't separate administrative accounts from the administrator's regular user account. I know, I know. Bad, bad, bad practice!

I found out this was a "feature". This is one of those "double-secret probation" tasks that the domain's PDC emulator does once an hour. If you create an account (or move an account) with Domain Admin (or Operator groups) membership in to an OU with delegated permissions, the "Allow Inheritable Permissions From The Parent...." checkbox will be cleared and the default permissions are applied. This is to make sure that an OU administrator cannot manage a Domain Admin or domain Operators accounts.

For more information, see KB 817433: "Delegated permissions are not available and inheritance is automatically disabled"

And, yes, they should segment their administrative accounts from their user accounts. IMHO, no administrator account should ever have a mailbox.


Post a Comment

<< Home