AdminSDHolder - in laymen's terms is that the thing that resets default permissions on all built-in

Discussion in 'Active Directory' started by Spin, Mar 3, 2006.

  1. Spin

    Spin Guest

    AdminSDHolder - in laymen's terms is that the thing that resets default
    permissions on all built-in groups?
     
    Spin, Mar 3, 2006
    #1
    1. Advertisements

  2. It isn't the thing that does it, but it is the container that holds the SD
    that the users in those groups are bounced back to when someone tries to
    change their SD.

    I'm not sure what process actually does the polling for the objects whose
    SDs change and reverts them.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Mar 3, 2006
    #2
    1. Advertisements

  3. Joe is right. the adminsdholder is considered the "admin security descriptor
    holder" which is a reference object for the protected objects (default admin
    users and admin groups and their members!)

    Every hour, the Microsoft Windows domain controller that has the primary
    domain controller (PDC) emulator operations master role verifies the ACLs on
    members of these administrative groups and compares them to the ACL on the
    AdminSDHolder object. If the ACL that is on the AdminSDHolder object is
    different, the ACLs on the members of the administrative group are reset to
    match the ACL on the AdminSDHolder object.

    For more info on the ADMINSDHOLDER object see the following related KB
    articles (not all may apply to your situation!)

    Description and Update of the Active Directory AdminSDHolder Object
    --> MS-KBQ232199 (http://support.microsoft.com/?id=232199)
    AdminSDHolder Thread Affects Transitive Members of Distribution Groups
    --> MS-KBQ318180 (http://support.microsoft.com/?id=318180)
    Delegated permissions are not available and inheritance is automatically
    disabled
    --> MS-KBQ817433 (http://support.microsoft.com/?id=817433)
    AdminSDHolder Object Affects Delegation of Control for Past Administrator
    Accounts
    --> MS-KBQ306398 (http://support.microsoft.com/?id=306398)
    Security tab of the adminSDHolder object does not display all properties
    --> MS-KBQ301188 (http://support.microsoft.com/?id=301188)
    "You do not have sufficient permissions in the Domain" error message occurs
    and Exchange Setup does not respond
    --> MS-KBQ319966 (http://support.microsoft.com/?id=319966)
    Certification Authority configuration to publish certificates in Active
    Directory of trusted domain
    --> MS-KBQ281271 (http://support.microsoft.com/?id=281271)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    -----------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    -----------------------------------------------------------------------------


    -----------------------------------------------------------------------------
     
    Jorge de Almeida Pinto [MVP], Mar 4, 2006
    #3
  4. Paul Williams [MVP], Mar 4, 2006
    #4
  5. Spin

    Spin Guest

    Nicely written.
    AdminSDHolder is the template for which the ACLs should be on the Protected
    Groups. For all else reading this, these are the Protected groups (and not
    necessarily the built-in ones, some are, some aren't):


    a.. Administrators

    a.. Account Operators

    a.. Backup Operators

    a.. Cert Publishers

    a.. Domain Admins

    a.. Enterprise Admins

    a.. Print Operators

    a.. Schema Admins

    a.. Server Operators
     
    Spin, Mar 4, 2006
    #5
  6. Close Paul.... SDPROP



    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Mar 5, 2006
    #6
  7. Ah, nice. Thanks Joe. I'll note that down and try and update that article
    with this info. Thanks!
     
    Paul Williams [MVP], Mar 5, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.