Remove From My Forums

User and Groups protected by AdminSDHolder

Question

0

Sign in to vote
We have created multiple users and groups within active directory. Some of these more privileged users and groups are protected and keep defaulting back to the AdminSDHolder permissions which is causing us problems when applying permissions/resetting passwords. I need to keep the AdminSD holder permissions as they are. The issue comes down tot he fact that these groups and users are members of the builtin Administrators group. I need to stop the builtin Administrators group being a protected group please.

Thanks
- Edited by Charlotte4065 Friday, January 27, 2017 11:16 AM
- Moved by nzpcmad1 Monday, January 30, 2017 5:42 PM From ADFS
Friday, January 27, 2017 10:35 AM

Reply

|

Quote

All replies

0

Sign in to vote
Use the dsHeuristics Attribute to Exclude Groups from AdminSDHolder."

Note, however, that modifying this subkey isn't recommended because doing so can increase LSA (Local Security Authority) processing overhead.
- Edited by sunny.sinha Friday, January 27, 2017 11:40 AM
- Proposed as answer by Wendy JiangModerator Monday, February 6, 2017 9:44 AM
Friday, January 27, 2017 11:40 AM

Reply

|

Quote

0

Sign in to vote
And I would not recommend to do that, Its there by a reason.
I would instead take another look at your approach and see if there is another way around, maybe delegate right on a OU-level?
- Proposed as answer by Wendy JiangModerator Monday, February 6, 2017 9:44 AM
Friday, January 27, 2017 5:45 PM

Reply

|

Quote

0

Sign in to vote

Hi,

I am checking how the issue going, if you still have any questions, please feel free to contact us.

And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

Appreciate for your feedback.

Best regards,

Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, February 6, 2017 9:44 AM

Reply

|

Quote

Moderator

0

Sign in to vote
The dSHeuristics attribute of the cn=Directory Service object can only be used to exclude one or more of the Operator groups (Account, Backup, Print, Server) from the AdminSDHolder object. I have never heard of any way to exclude the Administrators group. And I agree that it would be bad idea. Some relevant links:

https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx

https://social.technet.microsoft.com/wiki/contents/articles/33307.active-directory-find-orphaned-objects.aspx

Rather than somehow making Administrators unprotected, a better solution would be to create another group and delegate the permissions needed to the new group. For example, permission to reset passwords can be delegated to the group.

Edit: The links in this thread should help delegate permissions for things like password resets:

https://social.technet.microsoft.com/Forums/en-US/3d1f2515-5fb0-4a55-9b93-7052adc2ae53/delegate-user-password-reset?forum=winserverDS

Richard Mueller - MVP Enterprise Mobility (Identity and Access)
- Edited by Richard MuellerMVP Monday, February 6, 2017 3:54 PM Added link
- Proposed as answer by Wendy JiangModerator Friday, February 10, 2017 8:41 AM
Monday, February 6, 2017 1:22 PM

Reply

|

Quote