Article ID: 306398 - View products that this article applies to.
This article was previously published under Q306398
A user or group (for example, helpdesk) is delegated control over an Organizational Unit (OU) by using the Delegation of Control Wizard. One or more users that are located in the OU are made members of the administrators group or a group the user is a member of is made a member of the administrators group. After the user or group is moved out of the administrators group, the helpdesk is unable to manage the user or group of users that were once administrators.
Once a user is added to an administrators group, the "Allow Inheritable Permissions From Parent" security setting is cleared on the user object. When the user is moved out of the administrators group, the "Allow Inheritable Permission from Parent" setting is not automatically added back.
If there are users that currently have the delegation-management problem:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
For additional information about why the inheritance permission is disabled on administrative accounts, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/232199/EN-US/ )Description and Update of Active Directory AdminSDHolder Object