Do you ever find that for an admin account in Active Directory, when you tick the box include inheritable permissions from this object’s parent in advanced security, this is un-ticked later? Read on.

This causes issues with Exchange 2007/2010 and more specifically ActiveSync, OWA and Outlook Anywhere. For new admin accounts e.g. migrated user accounts that have the include inheritable permissions from this object’s parent box un-ticked can not connect to their mailboxes under these conditions. Once the box is manually ticked in Active Directory, admin users should be able to connect as normal to their mailboxes. But you need to be quick within a 60 minute time frame before the box is un-ticked again by an automatic process called SDPROP.

Good news, once the new mailboxs are setup and working for the admin user accounts, when the include inheritable permissions from this object’s parent box is un-ticked again, it doesn’t break anything.

Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:

• Account Operators
• Administrators
• Backup Operators
• Domain Admins
• Domain Controllers
• Enterprise Admins
• Print Operators
• Read-only Domain Controllers
• Replicator
• Schema Admins
• Server Operators

The built in users that are affected with Windows 2008 are:

• Administrator