How do I modify AdminSDHolder settings?

Hi there,

We are attempting to enable anonymous LDAP operations in Windows 2003 AD.  This is working fine accept for some users where the "Anonymous Logon" entry we add is disappearing after a little while.

We have narrowed this down to the work of the AdminSDHolder which is doing its job and removing the settings we put in at its predefined time because the affected users happen to be part of the Print Operators group.  When we remove users from this group the "Anonymous Logon" settings stay.

Can someone please tell meof a way that we can modify what AdminSDHolder does so that it allows users in the Print Operators group to have the "Anonymous Logon" entry with the "List Contents" attribute?

Thanks!
LVL 1
peterkennedyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bwalker1Commented:
From http://myitforum.com/articles/21/view.asp?id=8736

This can cause problems if there is a reason to set specific permissions on a user object which happens to be a member of one of the following protected groups:


    * Domain Administrators
    * Enterprise Administrators
    * Schema Administrators
    * Administrators
    * Account Operators
    * Server Operators
    * Print Operators
    * Backup Operators
    * (and others)

While it’s possible to correct issues by modifying the ACL on the AdminSDHolder object itself, that procedure is usually not advisable, as any mistake could quickly be propagated to the protected objects. In addition, when the ACL is viewed using the standard AD Users and Computers MMC snap-in, only a subset of possible ACEs is available, because the AdminSDHolder object is a container (and therefore, certain group and user object ACEs are unavailable); to set more advanced permissions, one would need to script a solution or use the dsacls.exe utility.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.