Delegated permissions are not available to all users in an Organizational Unit, and Inheritance is automatically disabled.

The permissions or rights delegated to users are no longer available to them, rendering them unable to perform the delegated operations. This either happens to all users in an OU or only to some users. Further, inheritance gets blocked or disabled for some users.

When does this issue happen?

This issue happens when upgrading to Windows Server 2003. It might also happen when Service Pack 4 is applied to Windows Server 2000.

What is the reason for this issue?

This issue happens when users are part of the protected groups. When permissions are assigned using Delegation of Control Wizard, inheritance of permissions is blocked for protected group members. So, if a user is part of any protected group, the delegated permissions might not be available to the user. For enhanced security, the number of protected groups has been increased in Windows Server 2003 and later versions. Even in Windows Server 2000, some hot fixes increase the number of protected groups.

How can this issue be fixed?

This issue can be resolved by either fixing it using an appropriate patch, or using a workaround.

Fix for the issue

This issue can be resolved with a hotfix. This hotfix has to be applied on the DC that has been assigned the primary domain controller emulator (PDC emulator) operations master role. The patch must also be applied on all the DCs that are probable candidates for the PDC emulator role. This must be performed in every domain.

Workarounds

Inheritance for the container adminSDHolder can be enabled.

This will enable inheritance for all protected group members and also disables one of the two protective ACLs. If OU level inheritance is allowed, then all protected group members will be able to inherit permissions from their respective OUs and also their parent OUs. Inheritance can be enabled for adminSDHolder container using ADUC or ADSI Edit. Mentioned below are the steps:

• Select the container, right click and select Properties.
• Go to Security tab --> Advanced
• Enable the 'Allow inheritable permissions to propagate to this object and all child objects' option, and click OK.

In the next run of the SDProp thread after this workaround is performed, inheritance will be allowed for the protected group members. For detailed steps, and precautions needed while performing this workaround, refer to this Microsoft document.

Note:

• Ensure that the members who are facing this issue are not part of any protected group.
• Configure the ACLs or security of the adminSDHolder container, instead of enabling inheritance.

For a detailed analysis of this issue, its causes, and also the elaborate steps and examples to fix this issue, refer to this MS article.

Did you know that you can delegate AD management and reporting operations to help desk technicians without actually elevating their rights in AD? Give ADManager Plus a try. In fact, this solution also allows you to create customized help desk roles with all the tasks that you wish to delegate.

A few highlights ofADManager Plus' help desk delegation:

• OU-specific delegation of AD management and reporting tasks
• Customizable help desk roles with role-based access to AD management and reporting features
• Technicians' permissions in native AD is not elevated
• Audit reports to check the actions of help desk technicians
• And more.

Download the free 30-day trial of ADManager Plus to experience all the capabilities of this unified AD, Office 365, Exchange and G Suite management and reporting tool.