Greetings my fellow IT comrades,
I have a peculiar problem with an OU in assigning rights to a group or individual to be able to check the "Password Never Expires" checkbox. The OU has any GPOs blocked from inheritance and although I grant the user or group full rights to the OU, they are unable to check this box for any user accounts within that OU. They can check and uncheck everything else but that option in a user's Account settings tab. With full permissions to the user or group, they can uncheck the box but not check it. Checking the box after it has been unchecked and applied will result in the error "The following Active Directory Domain Services error occurred: Access is denied." I've verified within the advanced security settings "Effective Permissions" and everything is checked for Read & Write for every object for the user account(s). Any ideas or thoughts as to what I should be looking for that is missing? Domain Admin of course can do everything to the account just not a particular account or group. What is missing? Your feedback or thoughts is greatly appreciated. Thanks in advance!
Van