Recipe 14.16 Modifying the ACL on Administrator Accounts

14.16.1 Problem

You want to modify the ACL for user accounts that are members of one of the administrative groups.

14.16.2 Solution

Using one of the methods described in Recipe 14.10, modify the ACL on the cn=AdminSDHolder,cn=Systems,<DomainDN> object in the domain the administrator accounts reside in. The ACL on this object gets applied every hour to all user accounts that are members of the administrative groups.

14.16.3 Discussion

If you've ever tried to directly modify the ACL on a user account that was a member of one of the administrative groups in Active Directory, or you modified the ACL on the OU containing an administrative account and wondered why the account's ACL was overwritten later, you've come to the right place. The Admin SD Holder feature of Active Directory is one that many administrators stumble upon after much grinding of teeth. However, after you realize the purpose for it, you'll understand it is a necessary feature.

Once an hour, a process on the PDC Emulator, which I'll refer to as the Admin SD Holder process, compares the ACL on the AdminSDHolder object to the ACL on the accounts that are in administrative groups in the domain. If it detects a difference, it will overwrite the account ACL and disable inheritance. If you later remove a user from an administrative group, you will need to reapply any inherited permissions and enable inheritance if necessary. The Admin SD Holder process will not take care of this for you.

The Admin SD Holder process is intended to subvert any malicious activity by a user that has been delegated rights over an OU or container that contains an account that is in one of the administrative groups. The malicious user could, for example, reset the password of the account and log in to the domain using that account, which would give him elevated privileges to do even more malicious things.

These are the groups included as part of the Admin SD Holder processing:

  • Administrators

  • Account Operators

  • Cert Publishers

  • Backup Operators

  • Domain Admins

  • Enterprise Admins

  • Print Operators

  • Schema Admins

  • Server Operators

The Administrator and Krbtgt user accounts are also specifically checked during the Admin SD Holder process.

14.16.4 See Also

MS KB 232199 (Description and Update of the Active Directory AdminSDHolder Object), MS KB 306398 (AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts), and MS KB 817433 (Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List