none
Win2008 R2 - "Write Member Of" missing in Advanced Security options for user object - Read is showing OK

    Question

  • A few weeks ago I updated an AD to 2008 R2 from 2003 and prior to this I implemented a new OU and security model to restrict admin rights.

    I added a group with read/write 'member of' against user objects and that still works OK.

    I have now removed the final 2003 DC (still running 2003 Funcional Level).

    When I now look at the OU using ADUC I do not see "write member of" in the properties list.

    Anyone got any ideas?


    Boz

    Friday, March 09, 2012 11:45 AM

Answers

  • However, if check ADSIEDIT in 2008R2, we can find the permission correctly. The assumption is that, that entry is filtered in ADUC UI for easier management: http://support.microsoft.com/kb/296490


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 10, 2012 5:02 AM

All replies

  • Hello,

     Your question is not clear to me.

     Are you missing some tabs in OU properties? If yes what are the tabs let me know.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 09, 2012 11:54 AM
  • No tabs missing.

    Security / Advanced - Select the group 'UpdateMemberOf' - Properties tab shows 'descendant user objects' but 'Write Member Of' is missing from the list...'Read Member Of' shows OK.

    Thx.


    Boz

    Friday, March 09, 2012 12:05 PM
  • All the DC's in the domain contains similar objects considering the replication between them is working fine. There can't be different object or permission if you have mixed DC like 2003 or 2008 R2. When you apply any settings on the DC it is applied to all the DC not to specific.

    I guess replication has not been completed or both the DC were not in sync before you removed the windows 2003 DC.Is the permission assigned to the protected  account groups  like account operator, domain admin or enterprise admin group? It can be AdminSDHolder too.

    http://awinish.wordpress.com/2011/03/01/understanding-adminsdholder-and-protected-groups/


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 09, 2012 12:27 PM
  • Replication is fine.

    When I use ADUC and look at the OU object security on any DC it is simply that I am not able to see the "Write Member Of" permission/check box. What I am trying to understand is why this is missing in ADUC.

    If I use DSACLS the permission is displayed as expected.

    Allow MYDOMAIN\GS-LBL-DSTask-UserMemberOf
                                          SPECIAL ACCESS for memberOf
                                          WRITE PROPERTY
                                          READ PROPERTY


    Boz

    Friday, March 09, 2012 1:25 PM
  •  

    Hi,

    I would like to confirm the following questions first:

    1. What type of account did you try to view the security permissions?
    2. How did you try to restrict admin rights?
    3. Would you please list the steps of how did you view the security permissions?

    As far as I know, we cannot restrict administrator rights due to administrators can change them back.

    Based on the current situation, you may check if you can use Delegate Control to delegate the permissions again and check the result. For more information, please refer to the following Microsoft TechNet article:

    Delegate Control of an Organizational Unit

    http://technet.microsoft.com/en-us/library/cc732524.aspx

    If the issue persists, would you please capture a screenshot to clarify the symptom?

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Tuesday, March 13, 2012 4:07 AM
  • Arthur, in response to questions

    1. User is a member of 'Domain Admins'

    2. I am using AD Users and Computers to set the permissions at the OU level (Advanced Security Settings). (per response above starting...no tabs missing)

    3. Security Tab, Advanced Button, Click on an existing permission entry

    Entry displays 'Properties' tab - for descendant user objects.

    THIS IS THE SYMPTOM - List of permissions does not show 'Write Member Of'...'Read Member Of' is ticked.

    I have created new OUs...and get this all the time now.

    It looks like a schema change but I'm damned if I know where/why/how!


    Boz

    Tuesday, March 13, 2012 1:53 PM
  •  

    Hi,

    Are the “Write Member Of” and “Read Member Of” attributes grey out or unchecked?

    If they are unchecked, please try to manually check them and check the result. Otherwise, please also try to move them to the new OU and rename the OU name.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Tuesday, March 20, 2012 6:23 AM
  •  

    Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Friday, March 23, 2012 2:55 AM
  • The setting for Write member of is not displayed. The setting for read member of is displayed and I can check it and uncheck it.

    This happens even if I create a new OU. Only affects aduc because I can use dsacls to set the permission.


    Boz

    Friday, March 23, 2012 7:30 AM
  •  

    Hi,

    Would you please capture a screenshot to clarify the symptom? It seems I still cannot find the permission entry you described.

    Regards,

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Tuesday, April 03, 2012 7:53 AM
  • Arthur, I cannot screen shot something that is missing.

    If I use DSACLS I can set the 'Write Member Of' permission.

    If I use ADUC I cannot because it is not displayed.

    When I built the AD I used ADUC to set this permission against user objects in an OU...I did not need to use DSACLS...

    The only thing I can think of is that I did all the setup work before I applied the Win2008 R2 Schema updates ..light starting to come on :)


    Boz

    Tuesday, April 03, 2012 9:32 AM
  • Hi,

    If DSACLS lists that permission, it does exist, you could export the permission here and we can have a look; unsure if it is a UI issue in ADUC, please try ADSIEDIT.

    I'll do a test on my side and keep you posted.

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, April 09, 2012 3:43 PM
  • Hi,

    I did some tests and same situation as yours.

    In 2003 schema/2000MIX functional level, we are able to see the permission directly in ADUC.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 10, 2012 4:55 AM
  • In 2008R2Schema/2008functional level: (using DSACLS, I'm able to dump the permission and Write is listed)


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 10, 2012 4:57 AM
  • However, if check ADSIEDIT in 2008R2, we can find the permission correctly. The assumption is that, that entry is filtered in ADUC UI for easier management: http://support.microsoft.com/kb/296490


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 10, 2012 5:02 AM
  • Brian, You are a star....After all this time I've never come across this 'feature'. Shame there is no article that shows what is different between 2003 and 2008 etc. I just need to work out if it is the [top] or [person] setting that is causing the removal...It just seems so unusual for such an important property option to be filtered like this.

    Thanks.


    Boz

    Thursday, April 12, 2012 9:01 AM
  • i realise that this is a very old question and marked as answer by Nigel.

    i have the same issue here with my labs AD and i can't seem to find the resolution for it. can someone (Brian) perhaps advise me what exact "property" do I need to modify in the dssec.dat file? i'm running Windows 2008 R2.

    Domain and Forest function level is Windows 2008 R2.

    What i wanted to do is to deny a group of users from making changes to group membership to be part of another group via "Member Of".

    Thank you.

    Monday, December 16, 2013 5:12 AM
  • Hi, The listed support article

    http://support.microsoft.com/kb/296490

    describes how to modify DSSEC.DAT.

    Somewhere in that file will be the 'Member Of' property filtered out against a user object.

    Hope that clarifies.

    Nigel.


    Boz

    Monday, December 16, 2013 9:18 AM
  • Sorry, Missed your point...

    If you want to Deny people the right to modify group membership you change the rights for that group to deny write access to the 'Members' property...or apply it to all Group objects in the OU.

    Boz


    Boz

    Monday, December 16, 2013 11:08 AM
  • Hi Boz,

    I wanted to prevent ppl to make changes to the "Member Of" tab. can it be done at the OU level or it has to be done on the group level?

    For example, I can do this in the command line,

    dsacls.exe "CN=Domain Admins,CN=Users,DC=msft,DC=local" /d msft\admin1:RPWP;memberOf

    Check the permission using ADSIEdit, it's listed "Write memberOf" and "Read memberOf" = both Deny.

    But when I logged on as admin1, I can still add group to Domain Admins on the "Members Of" tab.

    Hope this make sense


    • Edited by cad2011 Monday, December 16, 2013 9:29 PM
    Monday, December 16, 2013 9:16 PM
  • Domain Admins is a protected group and it's AD security settings will be reset by the system (admincount=1).

    Go back to basics...Check out this article

    http://technet.microsoft.com/en-us/library/cc875827.aspx

    I prefer to never use Domain Admins any more and create a separate Admin structure based on Tasks (applied to OUs for users/groups etc) and then add the Task to a Role Group (which is in another different protected OU), then the user gets the role.

    Hopefully this will help.


    Boz

    Tuesday, December 17, 2013 9:34 AM
  • Domain Admins is a protected group and it's AD security settings will be reset by the system (admincount=1).

    Go back to basics...Check out this article

    http://technet.microsoft.com/en-us/library/cc875827.aspx

    I prefer to never use Domain Admins any more and create a separate Admin structure based on Tasks (applied to OUs for users/groups etc) and then add the Task to a Role Group (which is in another different protected OU), then the user gets the role.

    Hopefully this will help.


    Boz

    i know, i was just using Domain Admins as an example.

    i have created a group called HelpDesk and numerous OUs. and i'm trying to apply the permission onto the HelpDesk group.

    Tuesday, December 17, 2013 7:59 PM