Daily Archives: 9 April, 2014

AdminSDHolder – pitfalls and misunderstandings

In Active Directory default, a set of High-Privileged accounts and groups is created when you create your domain. They are often called Protected Groups/Users.

From the beginning at Windows 2000 Server there were four protected groups:

Administrators
Domain Admins
Enterprise Admins
Schema Admins

In Windows 2000 SP4 and Windows 2003 Server they added a bunch of Groups and two user accounts:

Administrator
Krbtgt
Backup Operators
Cert Publishers (removed in Windows 2003 Server SP1)
Domain Controllers
Print Operators
Replicator
Server Operators
Account Operators

And in Windows 2008 Server they added:

Read-Only Domain Controllers

And one last thing, in a hotfix for Windows 2000/2003 Server the ability to remove a few groups as protected groups was enabled:

Account Operators
Server Operators
Print Operators
Backup Operators

This is done with the help of the dsHeuristic attribute flag.

http://support.microsoft.com/?id=817433

So, what is so special to know about protected groups except that they have high privileges and the most of them should almost never be used?

Those who have a delegated Organizational Unit structure may have noticed that every hour the specific delegated rights disappear for some of the admins and create a headache. This is what this post is all about. The AdminSDHolder, SDProp and adminCount misunderstandings.

Continue reading