locked
Remove Inherited User from DNS Server Security in DNS snap-in. RRS feed

  • Question

  • Good morning.

    Can anyone tell me where DNS servers in the DNS snap-in inherits it's security permissions from?

    Right-clicking on a server in the DNS snap-in, selecting Properties and clicking the security tab shows an extra user from our domain that I would like to remove.  Selecting the user and clicking 'Remove' gives me the following error message:

    "You cannot remove [user] because this object is inheriting permissions from its parent.  To remove [user], you must prevent this object from inheriting permissions.  Turn off the option for inheriting permissions, and then try removing [user] again."

    Thank you.

    Thursday, October 14, 2010 2:39 PM

Answers

  • You are welcome. It won't hurt to remove inheritance, but I understand you would like to clean it up, as what I would do, too.

    Go into ADUC. Put the view in Advanced View. Right-click the domain, choose properties. Check the Security tab. If that user account is not in there, check the OU and Containers, and now it just occured to me thinking out loud, specifically the System container.

    I hope that helps to find the user account.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Phred00 Thursday, October 14, 2010 7:59 PM
    Thursday, October 14, 2010 6:37 PM

All replies

  • It's coming from AD. Has that user ever been delegated permissions in AD?

     You can also uncheck inheritance, choose Copy in the message, hit Ok, then remove the user.


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, October 14, 2010 3:51 PM
  • Thank you for your reply.

    We are a small enough shop that we haven't had to use delegation (although it could have happened by accident).  Would you mind suggesting a good way to track down delegated objects? And do you know the next higher container for DNS servers in the domain structure?

    I would prefer not to break the inheritance (in this case) as it could affect operations in the future.  I may fall back on that option eventually, but I'm more concerned with tracking down the root of the problem (pardon the pun) at the moment.

    Thanks again.

    Thursday, October 14, 2010 6:06 PM
  • You are welcome. It won't hurt to remove inheritance, but I understand you would like to clean it up, as what I would do, too.

    Go into ADUC. Put the view in Advanced View. Right-click the domain, choose properties. Check the Security tab. If that user account is not in there, check the OU and Containers, and now it just occured to me thinking out loud, specifically the System container.

    I hope that helps to find the user account.

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Marked as answer by Phred00 Thursday, October 14, 2010 7:59 PM
    Thursday, October 14, 2010 6:37 PM
  • Bingo.

    Turning on the advanced features enabled me to see the other containers (System included).  The username showed up in the System folder and was still inherited.  It turns out that this also enables the security tab on the top-level (Domain name).  The user account I was searching for is listed and can be removed.  Now I just have to figure out why it happened.  

    Thank you so much.

    Thursday, October 14, 2010 7:59 PM
  • Good to hear. It was probably a delegated account. If not, it could have been an application that automatically added during setup.

    The funny thing about delegation is there is a delegation wizard, but no "undelegate" wizard. You would have to manually remove the account. Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, October 14, 2010 8:53 PM
  • I had the same problem. We had a PDC go down, replaced it successfully, but it was still showing up in Security tabs everywhere. The above helped me remove it from DNS. THANK YOU SO MUCH!!!!

    aotwadmin

    Wednesday, March 28, 2012 7:22 PM
  • Aotwadmin, glad to hear you found it helpful. You are welcome!

    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, March 28, 2012 10:11 PM