[Webinar] Streamline your web hosting managementRegister Today


AD user objects keep losing special permissions.

Published on
3,153 Points
Last Modified:
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few hours.  The issue usually on occurs on a few users

So why is this happening only on a few users? 

When a user is placed in an Admin groups such as Domain Admins, AD tries to protect the security of that user object.  It does this by explicitly setting the security of that object as opposed to inheriting the security as it usually does for regular users.  This prevents someone from delegating access on a container that contains a Domain/Enterprise Admin user and thus providing access to a admin user object.  For instance, if you wanted to allow a helpdesk to change passwords or delete users in a OU, you can delegate that.  If your admin user was in that OU, the helpdesk could conceivably change your password or delete your account.  Not good.

So where does the implicit security come from? 

It comes from the AdminSDHolder object in the System container.  The security permissions of the AdminSDHolder object are set on all Admin accounts explicitly.  The object name kind of makes sense (Admin Security Descriptor Holder).  AD applies these permissions every few hours to Admin objects.  so someone can turn on inheritance and set explicit permissions on a Admin object, but AD will re-apply the AdminSDholder object permissions overtop of it again, thus restoring security.

So how do I set specific permissions for an Admin user? 

One way would be to modify the permissions of the AdminSDholder object(https://technet.microsoft.com/en-ca/library/cc772662(v=ws.10).aspx).  This is normally a bad idea, and I wouldn't recommend it.  A better way would be to remove the person from the Admin group and give them a second account for admin purposes.  It is best practice not to mail enable an Admin account anyhow.  Users shouldn't use their day to day account for admin purposes.

I removed the user from the Admin group, but the permission is still being removed.  Why? 

This is because AD keeps a user attribute called adminCount that is used for the AdminSDHolder process in the incorrect state.  To correct this:

  1. Load Active Directory Users and Computers

  2. Ensure Advanced Features is checked under view
  3. Navigate to the user in question.  

  4. Right click the user and select properties.  
  5. The attribute called AdminCount should be set to <Not Set> for all non-admin users.  
  7. Select this attribute, click edit and select Clear.  

  8. You will likely need to set the user object to re-inherit security permissions from the Advanced button under the security tab in AD Users and Computers.

For more information this Microsoft articles discusses the delegated permissions and the AdminSDHolder object : https://support.microsoft.com/en-us/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical

This article discusses Protected accounts and the adminCount attribute:


Hope this helps.


Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month