I used the permissionbrowser utility and here are the results. I have re-checked AD, and the user is not a member of Domain Admins. How can I remove the incorrect permissions for the user?
Below is the user's info.
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
SID: S-1-5-21-1222195821-1132349098-91453608-512
Name: Domain Admins
DomainName: CHARNT
Group:
SID: S-1-5-21-1222195821-1132349098-91453608-513
Name: Domain Users
DomainName: CHARNT
Dacl:
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags: CONTAINER_INHERIT_ACE
Mask: 0x204BF
0x400
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-1222195821-1132349098-91453608-8063
Name: GASKS
DomainName: CHARNT
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags:
Mask: 0x4BF
0x400
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-1222195821-1132349098-91453608-8063
Name: GASKS
DomainName: CHARNT
My info is below
Control: SE_SELF_RELATIVE | SE_DACL_PRESENT
Owner:
SID: S-1-5-21-1222195821-1132349098-91453608-500
Name: Administrator
DomainName: CHARNT
Group:
SID: S-1-5-21-1222195821-1132349098-91453608-500
Name: Administrator
DomainName: CHARNT
Dacl:
Header:
AceType: ACCESS_ALLOWED_ACE_TYPE
AceFlags:
Mask: 0x4BF
0x400
DV_DS_SEARCH_ARCHIVE
DV_DS_DELETE_FOLDER
DV_DS_ADD_FOLDER
DV_DS_READ_FOLDER
DV_DS_DELETE_ITEM
DV_DS_ADD_ITEM
DV_DS_READ_ITEM
Sid:
SID: S-1-5-21-1222195821-1132349098-91453608-12170
Name: COLED
DomainName: CHARNT