Daily Archives: 9 April, 2014

AdminSDHolder – pitfalls and misunderstandings

In Active Directory default, a set of High-Privileged accounts and groups is created when you create your domain. They are often called Protected Groups/Users.

From the beginning at Windows 2000 Server there were four protected groups:

Domain Admins
Enterprise Admins
Schema Admins

In Windows 2000 SP4 and Windows 2003 Server they added a bunch of Groups and two user accounts:

Backup Operators
Cert Publishers (removed in Windows 2003 Server SP1)
Domain Controllers
Print Operators
Server Operators
Account Operators

And in Windows 2008 Server they added:

Read-Only Domain Controllers

And one last thing, in a hotfix for Windows 2000/2003 Server the ability to remove a few groups as protected groups was enabled:

Account Operators
Server Operators
Print Operators
Backup Operators

This is done with the help of the dsHeuristic attribute flag.


So, what is so special to know about protected groups except that they have high privileges and the most of them should almost never be used?

Those who have a delegated Organizational Unit structure may have noticed that every hour the specific delegated rights disappear for some of the admins and create a headache. This is what this post is all about. The AdminSDHolder, SDProp and adminCount misunderstandings.

Continue reading