AdminSDHolder - Inheritable Permissions

Posted on 2012-09-11
Last Modified: 2012-09-13
Hi Everyone,

I am having an issue where I cannot select the "Include Inheritable permissions from this objects parents"  in active directory (Windows Server 2008 R2)
In fact I am able to select the box but within, 1 hour the box will become de-selected.

This causing our users having issues receiving emails on their Iphone's

After scratching my head for a while, I hit google and I believe I have narrowed down the problem to AdminSDHolder, Protected Groups and SDPROP. Which runs every hour and overwrites any changes I have made.

The Users are placed in an OU called "DE User" Thinking it may be a rpoblem with that OU, I took our test user "Peter Pan" and put him in the User OU. Unfortunately this made no difference and my permissions were still overwritten an hour later.
My question is, how can I stop, AdminSDHolder from overwriting these permissions short of totally killing it.

Any help would be greatly appreciated.

Question by:deepslalli
    LVL 12

    Accepted Solution


    Kindly check method 2 from this article.

    Hope that helps

    LVL 52

    Expert Comment

    You have to remove him from the AdminSDHolder group .... i wouldnt recommend to modify the AdminSDHolder group so what you can do is have another account for Management :)

    - Rancy

    Author Comment

    Thanks for your help il be trying method 2 on that article ASAP, I would just like to add that the users I'm having problems with should all be standard users. Not admin rights etc.

    Not sure exactly what has made the user accounts "privileged" and thus including in sdholder
    LVL 52

    Assisted Solution

    Check the Members tab of the user and ensure he isnt a member of any of those groups if by any means he is remove .... give time for replication and try again.

    - Rancy

    Author Closing Comment


    For some reason Domain Users group was among the protected groups, I followed method 2 as per Navdeep and all is well.

    But thanks Rancy for making me double check the groups, although I didn't expect domain user to be one of these protected groups.

    But a Get-ADUser -LDAPFilter powershell script help me see the groups that were protected.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now