Modifying the ACL on Administrator Accounts

Modifying the ACL on Administrator Accounts


You want to modify the ACL for user accounts that are members of one of the administrative groups.


Using one of the methods described in Recipe 15.14, modify the ACL on the cn=AdminSDHolder,cn=Systems,<DomainDN> object in the domain that the administrator accounts reside in. The ACL on this object gets applied every hour to all user accounts that are members of the administrative groups.


If you've ever tried to directly modify the ACL on a user account that was a member of one of the administrative groups in Active Directory, or you modified the ACL on the OU containing an administrative account, and then wondered why the account's ACL was overwritten later, you've come to the right place. The Admin SD Holder feature of Active Directory is one that many administrators stumble upon after much grinding of teeth. However, after you realize the purpose for it, you'll understand it is a necessary feature.

Once an hour, a process on the PDC Emulator that we'll refer to as the Admin SD Holder process (but is actually known as the sdprop (SD Propagator) thread) compares the ACL on the AdminSDHolder object to the ACL on the accounts that are in administrative groups in the domain as well as the groups themselves. If it detects a difference, it will overwrite the account or Group ACL and disable inheritance.

If you later remove a user from an administrative group, you will need to reapply any inherited permissions and enable inheritance if necessary. The Admin SD Holder process will not take care of this for you.

The Admin SD Holder process is intended to subvert any malicious activity by a user that has been delegated rights over an OU or container that contains an account that is in one of the administrative groups. An OU administrator could, for example, modify permissions inheritance on an OU to attempt to lock out the Domain Admins group; this permission change would be reverted the next time that the SD Propagator thread runs.

These are the groups included as part of the Admin SD Holder processing:

  • Administrators

  • Account Operators

  • Cert Publishers

  • Backup Operators

  • Domain Admins

  • Enterprise Admins

  • Print Operators

  • Schema Admins

  • Server Operators

The administrator and krbtgt user accounts are also specifically checked during the Admin SD Holder process.

See Also

MS KB 232199 (Description and Update of the Active Directory AdminSDHolder Object), MS KB 306398 (AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts), and MS KB 817433 (Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled)

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows