Question: When a user is granted highest level administration group in active directory and then has it removed the user can no longer edit personal information within AD. Only users that have the group that was removed can now change AD user properties Solution? - At this point the only work around I have is delete and recreate the affected user. Question: Is there any other solution?

Hello, I have not understood well what you said but looks like that you have mistakenly deleted an AD user/group. Do you have AD recycle Bin enabled? If yes, you can restore it from AD recycle Bin. If not, do you have a backup of a DC that dates before the appearance of the problem? If yes, perform an authoritative restore of the deleted AD object. If your object is still tambstoned, you can use ADRestore tool to restore it: http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

Hello, please specify the used OS version and SP/patch level of the domain DCs. The highest administrative group is the enterprise admins security group and this can't be deleted, prevented from the OS. So please describe in detail which group has been deleted and which accounts are also had belonged to this group and the additional security groups they are member of.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello Meinolf, I will investigate the OS version and SP/patch level of the domain DCs and post later. However I will clarify the issue. The issue is when a user is part of the enterprise admin security group and then no longer needs this access; once access is removed the user no longer has certain inherited rights. We can open ADUC and go to "Security --> Advance" the properties of the user that has had this access removed and now "Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here" has been unchecked. A user in the enterprise admin security group is able to re-apply this option for the affected user however in about an hour a service runs and removes this check mark and certain options under "SELF" under the security tab. Thanks

Hello, you are now talking about the AdminSDHolder which is complete different from deleting a security group or user accounts, please see here about it: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.