AdminSDHolder & Objects inheriting permissions

Possibility to solve the following issues:

– Upgraded Exchange/Domain Controller and users constantly getting prompted to enter in credentials
– Introduced a BES (BB Enterprise Server) and users not getting e-mail
“Include inheritable permissions from this object’s parent” checkbox constantly gets unchecked.

Role of AdminSHHolder:

The AdminSdHolder/Ds Propagator tread modifies all accounts which are direct or nested members of one of those groups and increases the attribut adminCount to a value higher than 0. This thread runs once an hour on the Domaincontroller holding the PDC-Emulator role. The thread further resets the security-descriptor of those accounts with the default permissions for administrative accounts which is defined by the security-descriptor of the object cn=AdminSdHolder,cn=System,dc=yourdomain,dc=com. This also resets the flag to disable inheritance of parent objects.

Accounts that are protected by Active Directory:

Active Directory protects certain accounts not to inherit delegated permission. This behavior applies to direct and nested members of the following security-groups:
Windows 2000 SP4 and newer:
Enterprise Admins
Schema Admins
Domain Admins
Account Operators
Server Operators
Print Operators
Backup Operators
Cert Publishers 

Additional the accounts Administrator and krbtgt are protected.

Best practices to be aware of:

  • AdminSdHolder also applies the permissions to accounts which are nested members through distribution groups. E.g. if User1 is a member of the distribution group Maillist-KnowHow, which is a member of account operators, then User1 is considered as one of the protected accounts (since the distribution group could be converted to a security group).
  • Be aware that the command whoami /all does show nested group memberships, but not nested groups through distribution groups.
  • Usually you should avoid nesting distribution groups in one of the protected groups.
  • Users, which are removed out of one of the protected groups (or their nested groups) do not inherit permissions from parent objects. You need to check the box to inherit permissions when removing those users out of the group manually, or use a script to check your users.
  • If you have many accounts which are protected by the AdminSdHolder/DS Propagation-Thread, you might notice that the lsass-process on the Domaincontrller holding the PDC-Emultor raises to 100% once an hour. Therefore you should avoid putting loads of users in the protected groups, and rather use delegated administration whenever possible.
  • Depending on your need you might want to remove Backup Operators, Printer Operators, Server Operators or Account Operators out of the AdminSdHolder protection. You can get a Hotfix at Microsoft PSS which allows to configure that. See the following KB for more informations on that:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s