none
AdminSDHolder protects a non high priviliged user

    Question

  • Hi @ all,

    i ' ve got a Problem with a User that is protected by AdminSDHolder, but the User is not in a high privileged group.

    I have seen, that the adminCount was set to 1 so i set it 0. Maybe the user was in the past a Admin. Afterwards i activate the inheritable permission ...

    But after 60 minutes later the AdminSDHolder hat reverted the settings.

    How can i determine why the User is protected by AdminSDHolder?

    Thank's

    Kind regards

    Adrian

    Monday, January 14, 2013 10:10 AM

Answers

  • Mean user is still is under protected groups & PDC emulater run the process in every 60 minutes.

    Exclude Protected Groups fromAdminSDHolder in Active Directory   

    http://support.nordicedge.com/nsd1313-exclude-protected-groups-from-adminsdholder-in-active-directory/
    Have a look at this:

    http://support.microsoft.com/?id=817433
    Also: http://technet.microsoft.com/en-us/l.../cc772662.aspx

    To check if a user is protected by the AdminSDHolder object do a LDAP search for users that have the attribute "AdminCount" set to "1". E.g (&(objectcategory=person)(AdminCount=1))


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin, Technet Wiki Ninja, MCC.




    Monday, January 14, 2013 11:19 AM
  • Not that SDPROP is <> from AdminSDHolder Backgrund Proccess:

    Se the following for more in-depth information:
    The ancestors_col and the SDProp (Security Descriptor Propagation Demon) – How are they related?:
    http://blogs.chrisse.se/2012/02/20/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-3/
     
    the 'runProtectAdminGroupsTask' task triggers the AdminSDHolder Background process:
    dn:
    changetype: modify
    add: runProtectAdminGroupsTask
    runProtectAdminGroupsTask: 1
    


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, January 14, 2013 12:07 PM
  • Could you post the groups the user is a member of, because I have seen some webpages that don't include all of the groups adminSDHolder maintains.  Check the groups included in the article below.
    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, January 14, 2013 1:12 PM
    Moderator
  • this occurs if the user is a DIRECT member of a protected group or INDIRECT member through some other group...
     
    check the properties of the user in ADUC (Attribute Editor) and look at the attribute (tokenGroups). if you do this you will only see SIDs
     
    you could use the following method to actually see the group names. Use the correct DN of the user
     
    ##############################
    14-Jan-2013 15:18:27.74
    [RFSRWDC1] C:\>ADFind.exe -b "CN=ADM.ROOT,CN=Users,DC=ADCORP,DC=LAB" -s base tokengroups -resolvesids
     
    AdFind V01.46.00cpp Joe Richards (joe@joeware.net) March 2012
     
    Using server: RFSRWDC1.ADCORP.LAB:389
    Directory: Windows Server 2008 R2
     
    dn:CN=ADM.ROOT,CN=Users,DC=ADCORP,DC=LAB
    >tokenGroups: BUILTIN\Administrators
    >tokenGroups: BUILTIN\Users
    >tokenGroups: ADCORP\WSS_ADMIN_WPG
    >tokenGroups: ADCORP\Netmon Users
    >tokenGroups: ADCORP\Denied RODC Password Replication Group
    >tokenGroups: ADCORP\TK_R1_InfraSCSMAdmins
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-UnblockSC
    >tokenGroups: ADCORP\TK_R1_InfraExchangeOperators
    >tokenGroups: ADCORP\Enterprise Admins
    >tokenGroups: ADCORP\TK_R1_InfraCitrixFull
    >tokenGroups: ADCORP\RL_R1_CMS-Architects
    >tokenGroups: ADCORP\TK_R1_InfraMOMAuthors
    >tokenGroups: ADCORP\CSAdministrator
    >tokenGroups: ADCORP\Schema Admins
    >tokenGroups: ADCORP\TK_R1_InfraExchangeViewOnly
    >tokenGroups: ADCORP\TK_R1_CMS-ProfTmplt-Mng
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Enrollment-Agent
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Renew
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Revoke
    >tokenGroups: ADCORP\RL_R1_CMS-SecOfficers
    >tokenGroups: ADCORP\TK_R1_InfraExchangeAdmins
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Audit
    >tokenGroups: ADCORP\RL_R1_InfraFull
    >tokenGroups: ADCORP\TK_R1_InfraDNS
    >tokenGroups: ADCORP\TK_R1_InfraADAMinst
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Enroll
    >tokenGroups: ADCORP\RL_R1_CMS-Approvers
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Read
    >tokenGroups: ADCORP\Organization Management
    >tokenGroups: ADCORP\TK_R1_InfraDCs
    >tokenGroups: ADCORP\TK_R1_InfraMOMUsers
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Recover
    >tokenGroups: ADCORP\RL_R1_CMS-Helpdesk
    >tokenGroups: ADCORP\TK_R1_InfraWINS
    >tokenGroups: ADCORP\TK_R1_InfraSQLSrvAdmins
    >tokenGroups: ADCORP\TK_R1_InfraDHCP
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Kerberos-App-Owners
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-NTLM-App-Contributors
    >tokenGroups: ADCORP\Domain Admins
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Claims-App-Viewers
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Claims-App-Contributors
    >tokenGroups: ADCORP\FIMSyncAdmins
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Kerberos-App-Contributors
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Kerberos-App-Viewers
    >tokenGroups: ADCORP\Group Policy Creator Owners
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-NTLM-App-Viewers
    >tokenGroups: ADCORP\Domain Users
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-NTLM-App-Owners
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Claims-App-Owners
     
     
    1 Objects returned
     
    14-Jan-2013 15:18:34.34
    [RFSRWDC1] C:\>
    ##############################
     
    ##############################
     
    ##############################

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "A_Sputnik" wrote in message news:7bf9b1d0-5ad5-44ae-bf64-f9831339377f@communitybridge.codeplex.com...

    Hi @ all,

    i ' ve got a Problem with a User that is protected by AdminSDHolder, but the User is not in a high privileged group.

    I have seen, that the adminCount was set to 1 so i set it 0. Maybe the user was in the past a Admin. Afterwards i activate the inheritable permission ...

    But after 60 minutes later the AdminSDHolder hat reverted the settings.

    How can i determine why the User is protected by AdminSDHolder?

    Thank's

    Kind regards

    Adrian


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, January 14, 2013 2:26 PM
    Moderator

All replies

  • Mean user is still is under protected groups & PDC emulater run the process in every 60 minutes.

    Exclude Protected Groups fromAdminSDHolder in Active Directory   

    http://support.nordicedge.com/nsd1313-exclude-protected-groups-from-adminsdholder-in-active-directory/
    Have a look at this:

    http://support.microsoft.com/?id=817433
    Also: http://technet.microsoft.com/en-us/l.../cc772662.aspx

    To check if a user is protected by the AdminSDHolder object do a LDAP search for users that have the attribute "AdminCount" set to "1". E.g (&(objectcategory=person)(AdminCount=1))


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin, Technet Wiki Ninja, MCC.




    Monday, January 14, 2013 11:19 AM
  • Not that SDPROP is <> from AdminSDHolder Backgrund Proccess:

    Se the following for more in-depth information:
    The ancestors_col and the SDProp (Security Descriptor Propagation Demon) – How are they related?:
    http://blogs.chrisse.se/2012/02/20/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-3/
     
    the 'runProtectAdminGroupsTask' task triggers the AdminSDHolder Background process:
    dn:
    changetype: modify
    add: runProtectAdminGroupsTask
    runProtectAdminGroupsTask: 1
    


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Monday, January 14, 2013 12:07 PM
  • Thanks

    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Monday, January 14, 2013 12:10 PM
  • Could you post the groups the user is a member of, because I have seen some webpages that don't include all of the groups adminSDHolder maintains.  Check the groups included in the article below.
    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, January 14, 2013 1:12 PM
    Moderator
  • Ich have taken an RSOP and so i see that the user is Member of the Group Administrators. But this group refers to his his local Computer wehre he has only local Administrator rights. Otherwise there are no other Protected groups.I can't explain why SDProp is still reverting the settings.

    Monday, January 14, 2013 1:28 PM
  • How to Use the dsHeuristics Attribute to Exclude Groups from AdminSDHolder
    The dsHeuristics attribute can be used to exclude certain groups from being protected by AdminSDHolder. The following instructions outline the steps for modifying the dsHeuristics attribute on Windows Server 2008 R2:
    1. Log on to a domain controller or a member computer that has the Remote Server Administrator Tools (RSAT) installed.
    2. Go to Start. Click Run. Type adsiedit.msc, then click OK.
    3. In the ADSI Edit console, right-click on ADSI Edit in the console tree. Select Connect To.
    4. In the Connection Settings window, select Configuration from the Select a Well-Known Naming Context drop-down. Click OK.
    5. In the console tree, expand Configuration, expand Service, and expand Windows NT. Right-click on the Directory Service node, then select Properties.
    6. In the CN=Directory Service Properties window, select dsHeuristics. Click Edit.
    7. In the String Attribute Editor window, copy the existing value for dsHeuristics if it is set.
    8. In the String Attribute Editor window, replace the dsHeuristics value with what you want to set, such as 000000000100000f to exclude Account Operators, Server Operators, Print Operators, and Backup Operators groups. Figure A shows the String Attribute Editor window.

      Note: Replace the zeros in the first part of the value with what you may already have in dsHeuristics. Make sure that you have the correct count of digits up to the "f" or whatever bits you want to set.
    9. Click OK on the String Attribute Editor window. Click OK on the CN=Directory Service Properties window.

    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    Link given by Pbergs.


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    Monday, January 14, 2013 1:36 PM
  • this occurs if the user is a DIRECT member of a protected group or INDIRECT member through some other group...
     
    check the properties of the user in ADUC (Attribute Editor) and look at the attribute (tokenGroups). if you do this you will only see SIDs
     
    you could use the following method to actually see the group names. Use the correct DN of the user
     
    ##############################
    14-Jan-2013 15:18:27.74
    [RFSRWDC1] C:\>ADFind.exe -b "CN=ADM.ROOT,CN=Users,DC=ADCORP,DC=LAB" -s base tokengroups -resolvesids
     
    AdFind V01.46.00cpp Joe Richards (joe@joeware.net) March 2012
     
    Using server: RFSRWDC1.ADCORP.LAB:389
    Directory: Windows Server 2008 R2
     
    dn:CN=ADM.ROOT,CN=Users,DC=ADCORP,DC=LAB
    >tokenGroups: BUILTIN\Administrators
    >tokenGroups: BUILTIN\Users
    >tokenGroups: ADCORP\WSS_ADMIN_WPG
    >tokenGroups: ADCORP\Netmon Users
    >tokenGroups: ADCORP\Denied RODC Password Replication Group
    >tokenGroups: ADCORP\TK_R1_InfraSCSMAdmins
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-UnblockSC
    >tokenGroups: ADCORP\TK_R1_InfraExchangeOperators
    >tokenGroups: ADCORP\Enterprise Admins
    >tokenGroups: ADCORP\TK_R1_InfraCitrixFull
    >tokenGroups: ADCORP\RL_R1_CMS-Architects
    >tokenGroups: ADCORP\TK_R1_InfraMOMAuthors
    >tokenGroups: ADCORP\CSAdministrator
    >tokenGroups: ADCORP\Schema Admins
    >tokenGroups: ADCORP\TK_R1_InfraExchangeViewOnly
    >tokenGroups: ADCORP\TK_R1_CMS-ProfTmplt-Mng
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Enrollment-Agent
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Renew
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Revoke
    >tokenGroups: ADCORP\RL_R1_CMS-SecOfficers
    >tokenGroups: ADCORP\TK_R1_InfraExchangeAdmins
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Audit
    >tokenGroups: ADCORP\RL_R1_InfraFull
    >tokenGroups: ADCORP\TK_R1_InfraDNS
    >tokenGroups: ADCORP\TK_R1_InfraADAMinst
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Enroll
    >tokenGroups: ADCORP\RL_R1_CMS-Approvers
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Read
    >tokenGroups: ADCORP\Organization Management
    >tokenGroups: ADCORP\TK_R1_InfraDCs
    >tokenGroups: ADCORP\TK_R1_InfraMOMUsers
    >tokenGroups: ADCORP\TK_R1_CMS-SCP-Request-Recover
    >tokenGroups: ADCORP\RL_R1_CMS-Helpdesk
    >tokenGroups: ADCORP\TK_R1_InfraWINS
    >tokenGroups: ADCORP\TK_R1_InfraSQLSrvAdmins
    >tokenGroups: ADCORP\TK_R1_InfraDHCP
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Kerberos-App-Owners
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-NTLM-App-Contributors
    >tokenGroups: ADCORP\Domain Admins
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Claims-App-Viewers
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Claims-App-Contributors
    >tokenGroups: ADCORP\FIMSyncAdmins
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Kerberos-App-Contributors
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Kerberos-App-Viewers
    >tokenGroups: ADCORP\Group Policy Creator Owners
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-NTLM-App-Viewers
    >tokenGroups: ADCORP\Domain Users
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-NTLM-App-Owners
    >tokenGroups: ADCORP\GRP_R1_ADCORP-ADFS-Claims-App-Owners
     
     
    1 Objects returned
     
    14-Jan-2013 15:18:34.34
    [RFSRWDC1] C:\>
    ##############################
     
    ##############################
     
    ##############################

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "A_Sputnik" wrote in message news:7bf9b1d0-5ad5-44ae-bf64-f9831339377f@communitybridge.codeplex.com...

    Hi @ all,

    i ' ve got a Problem with a User that is protected by AdminSDHolder, but the User is not in a high privileged group.

    I have seen, that the adminCount was set to 1 so i set it 0. Maybe the user was in the past a Admin. Afterwards i activate the inheritable permission ...

    But after 60 minutes later the AdminSDHolder hat reverted the settings.

    How can i determine why the User is protected by AdminSDHolder?

    Thank's

    Kind regards

    Adrian


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, January 14, 2013 2:26 PM
    Moderator
  • Hi@all,

    thank you very much for your answers.

    I found the Problem. The User was Member of Print Operators, but RSOP information did not show this group.

    ... and so i'm wondering...

    Now i can set inheritance.

    Kind Regards

    Adrian

    Monday, January 14, 2013 3:48 PM
  • how did you find it was a member of PRINT OPERATORS?
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "A_Sputnik" wrote in message news:cc3a8e09-f864-4780-9b3c-cc761c329083@communitybridge.codeplex.com...

    Hi@all,

    thank you very much for your answers.

    I found the Problem. The User was Member of Print Operators, but RSOP information did not show this group.

    ... and so i'm wondering...

    Now i can set inheritance.

    Kind Regards

    Adrian


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Monday, January 14, 2013 4:33 PM
    Moderator