<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

AD user objects keep losing special permissions.

Published on
3,407 Points
407 Views
Last Modified:
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few hours.  The issue usually on occurs on a few users

So why is this happening only on a few users? 

When a user is placed in an Admin groups such as Domain Admins, AD tries to protect the security of that user object.  It does this by explicitly setting the security of that object as opposed to inheriting the security as it usually does for regular users.  This prevents someone from delegating access on a container that contains a Domain/Enterprise Admin user and thus providing access to a admin user object.  For instance, if you wanted to allow a helpdesk to change passwords or delete users in a OU, you can delegate that.  If your admin user was in that OU, the helpdesk could conceivably change your password or delete your account.  Not good.


So where does the implicit security come from? 

It comes from the AdminSDHolder object in the System container.  The security permissions of the AdminSDHolder object are set on all Admin accounts explicitly.  The object name kind of makes sense (Admin Security Descriptor Holder).  AD applies these permissions every few hours to Admin objects.  so someone can turn on inheritance and set explicit permissions on a Admin object, but AD will re-apply the AdminSDholder object permissions overtop of it again, thus restoring security.


So how do I set specific permissions for an Admin user? 

One way would be to modify the permissions of the AdminSDholder object(https://technet.microsoft.com/en-ca/library/cc772662(v=ws.10).aspx).  This is normally a bad idea, and I wouldn't recommend it.  A better way would be to remove the person from the Admin group and give them a second account for admin purposes.  It is best practice not to mail enable an Admin account anyhow.  Users shouldn't use their day to day account for admin purposes.


I removed the user from the Admin group, but the permission is still being removed.  Why? 

This is because AD keeps a user attribute called adminCount that is used for the AdminSDHolder process in the incorrect state.  To correct this:

  1. Load Active Directory Users and Computers

  2. Ensure Advanced Features is checked under view
  3. Navigate to the user in question.  

  4. Right click the user and select properties.  
  5. The attribute called AdminCount should be set to <Not Set> for all non-admin users.  
  6.  
  7. Select this attribute, click edit and select Clear.  

  8. You will likely need to set the user object to re-inherit security permissions from the Advanced button under the security tab in AD Users and Computers.


For more information this Microsoft articles discusses the delegated permissions and the AdminSDHolder object : https://support.microsoft.com/en-us/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical

This article discusses Protected accounts and the adminCount attribute:

https://blogs.technet.microsoft.com/lrobins/2011/06/23/admin-free-active-directory-and-windows-part-2-protected-accounts-and-groups-in-active-directory/


Hope this helps.


0
Comment
Author:Pber
0 Comments

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Join & Write a Comment

This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month