I don’t have a lot of experience with Active Directory, but having an issue where if I create some accounts, after adding said accounts to some security groups for access to various resources, my account gets removed from the list of permissions that can edit or manage those user accounts, and therefore I need to go to someone with much higher AD permissions than myself for any changes. This also seems to be affecting the user’s ability to write into the extended attributes of their account from third party apps. Upon further inspection of the account, the ownership of the account also changes from my useraccount to the domain admin. It doesn’t happen immediately, but often times is about 10 minutes after adding to some of the groups. I’ve gone as far as creating all brand new security groups that the users are members of, but even these new groups still need to be nested inside other existing groups.
So I guess my questions are:
-
Is there anything in AD that will filter down a set of specific permissions through various groups, and down to users? I guess kind of like a mandatory profile, but for user accounts.
-
Is there a way to troubleshoot this, aside from back tracking through various groups (some of which are nested groups within groups).
Any tips on this would be helpful.
Thanks!