ADS Rights disappearing every x minutes (typically 1 hour) on Windows 2003 AD Domain.

  • 7940306
  • 19-Aug-2009
  • 26-Apr-2012

Environment

SecureLogin
SecureLogin SSO
3.5.1.x, 3.5.2.0
MS AD, LDAP, NT4, Citrix, Terminal Services

Situation

User installed SecureLogin in ADS mode and everything appeared to be OK. After a while, problems occurred which appeared to be related to rights. Upon further diagnosis it was discovered that some AD rights weren’t inherited by some Users. Users require rights to read SSO configuration information such as which applications are SSO enabled, and write (save and encrypt) information such as their application usernames and passwords to the directory.

When they were set directly on the User objects, after one hour passed these rights assignments automatically reverted to their old/default values.

Resolution

In an NT4 domain you have groups like account- and print-operators. When you update the domain controller to Win2k3 these groups still exist (default windows).

These operator groups are ""protected"" - groups. When users are or were in protected groups the attribute admincount is set to ""1"". This user will not be able to inherit the settings from the OU.

Using the ADSIEDIT.MSC you can solve this issue when you go to the objectproperties of the user. You’ll find in the attributes, ""admincount = 1"".

When you set this value to ""0"" the user will inherit all settings from the organizational unit, including SecureLogin SSO.

By setting this value to ""0"", the user’s group membership to the “old” protected groups, account-operators and print-operators, is effectively removed (even if the user is still member of the actual group)

For more information, please refer to the MS KB article below:

http://support.microsoft.com/default.aspx?scid=kb;en-us;817433

Additional Information

Root Cause

Microsoft announced this behavior may occur when you update your existing Windows NT or 2000 domain controller to a Windows Server 2003 DC.

These three issues occur:

  • Delegated permissions are not available to all users in an organizational unit.
  • Inheritance is automatically disabled on some user accounts approximately one time an hour
  • Users who previously had delegated permissions, no longer have them.

This problem may also occur after you apply the hotfix 327825 to Microsoft Windows 2000 Server or after you install Windows 2000 Service Pack 4 on a Microsoft Windows 2000 Server.