none
AdminCount Attribute RRS feed

  • Question

  • Hi,

    Does setting Admincount to 0 revokes group membership of users who are member of protected AD group ?

    I tried it on my own Domain Admin account..but it doesn't seem to be affecting my group membership and I was still able to login to DC with AdminCount value set to 0.

    I need to know the URL where these things are mentioned...?

    Wednesday, March 20, 2013 12:04 PM

Answers

  • Check after one hour. Admin count value will revert as "1"(if you edit manually ). By default that process is run in every one hr. in PDC emulator.

    See the link: http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Wednesday, March 20, 2013 2:52 PM
  • Check after one hour. Admin count value will revert as "1". By default that process is run in every one hr. in PDC emulator.

    See the link: http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    That is because the user is part of one of the protected groups as articulated in the article I provided.  SDProp runs hourly and will reset this until you get the user out of the protected group.

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, March 20, 2013 3:02 PM
    Moderator
  • 'AdminCount' is set to none (zero) '1' on object's protected by the AdminSDHolder process, that is run 15 minutes after boot / or that the directory services has been initialized and then every hour on the domain controller acting as the flexibel single master operations role: PDC emulator.

    The following articel is pretty detailed but is actuelly wrong on the initialized part: http://technet.microsoft.com/sv-se/magazine/2009.09.sdadminholder(en-us).aspx.

    1. The 'AdminSDHolder' or the ''ProtectAdminGroups' as it's called internally is actuelly running as it's own task and has nothing to do with SDPROP (Security Descriptor Propagration Demon)
    2. The 'AdminSDHolder' or the ''ProtectAdminGroups' change Security Inheritance (e.g more specifically turn it off on protected objects) - this will however trigger the  SDPROP (Security Descriptor Propagration Demon) as it's trigged by any ACL Inheritance changes.

      Each DSA/DC runs the SDProp (Security Descriptor Propagation Demon) as a background task (TQ_TASK). By default, this task is triggered by the following conditions:

      Any modification (originating or replicated) of the nTSecurityDescriptor attribute of any object (Except for those modifications done by the SDProp deamon)
      This requires that any new/modified inheritable ACEs are propagated to all descendant objects and that any removed inheritable ACEs are removed from all descendent objects, ACE inheritance is not replicated and is being applied by the SDProp using this process on all DSAs/DCs.

    For more information:
    http://blogs.chrisse.se/2012/02/20/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-3/


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, March 20, 2013 9:35 PM

All replies

  • AdminSDCount is used as part of the SDProp process.  Setting this value to zero will have no impact on groups; it impacts inheritance.  Read the article from the URL below.
    http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.


    Wednesday, March 20, 2013 12:20 PM
    Moderator
  • I don't believe you can modify the adminCount attribute, it is assigned a value by the system. Per the description of the attribute:

    "Indicates that a given object had it's ACL's changed to a more secure value by the system, because it was a member of one of the administrative groups (directly or transitively)"


    Richard Mueller - MVP Directory Services

    Wednesday, March 20, 2013 1:05 PM
  • Yeah, you do change this.  You need to remove users from protected groups, reset the inheritance flag and reset the adminCount.  Then users can inherit permissons from the parent OU structure.

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, March 20, 2013 1:07 PM
    Moderator
  • Check after one hour. Admin count value will revert as "1"(if you edit manually ). By default that process is run in every one hr. in PDC emulator.

    See the link: http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Wednesday, March 20, 2013 2:52 PM
  • Yes, I remember now. The adminCount is assigned to 1 by the system when a user is added to a protected group, but the value does not get reset when a user is removed from protected groups.


    Richard Mueller - MVP Directory Services

    Wednesday, March 20, 2013 2:55 PM
  • Check after one hour. Admin count value will revert as "1". By default that process is run in every one hr. in PDC emulator.

    See the link: http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-part-2-protected-accounts-and-groups-in-active-directory.aspx

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

    That is because the user is part of one of the protected groups as articulated in the article I provided.  SDProp runs hourly and will reset this until you get the user out of the protected group.

    -- 
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, March 20, 2013 3:02 PM
    Moderator
  • 'AdminCount' is set to none (zero) '1' on object's protected by the AdminSDHolder process, that is run 15 minutes after boot / or that the directory services has been initialized and then every hour on the domain controller acting as the flexibel single master operations role: PDC emulator.

    The following articel is pretty detailed but is actuelly wrong on the initialized part: http://technet.microsoft.com/sv-se/magazine/2009.09.sdadminholder(en-us).aspx.

    1. The 'AdminSDHolder' or the ''ProtectAdminGroups' as it's called internally is actuelly running as it's own task and has nothing to do with SDPROP (Security Descriptor Propagration Demon)
    2. The 'AdminSDHolder' or the ''ProtectAdminGroups' change Security Inheritance (e.g more specifically turn it off on protected objects) - this will however trigger the  SDPROP (Security Descriptor Propagration Demon) as it's trigged by any ACL Inheritance changes.

      Each DSA/DC runs the SDProp (Security Descriptor Propagation Demon) as a background task (TQ_TASK). By default, this task is triggered by the following conditions:

      Any modification (originating or replicated) of the nTSecurityDescriptor attribute of any object (Except for those modifications done by the SDProp deamon)
      This requires that any new/modified inheritable ACEs are propagated to all descendant objects and that any removed inheritable ACEs are removed from all descendent objects, ACE inheritance is not replicated and is being applied by the SDProp using this process on all DSAs/DCs.

    For more information:
    http://blogs.chrisse.se/2012/02/20/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-3/


    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, March 20, 2013 9:35 PM