Solved

Active Directory Permissions resetting - AdminSDHolder / AdminCount

Posted on 2013-12-10
7
2,242 Views
Last Modified: 2013-12-17
We're having issues with an Windows Server 2008 R2 running AD & Exchange. Permissions are resetting due to AdminSDHolder.

I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.

I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
0
Comment
Question by:YorkData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39708168
Are there any other protected groups that domain users are part of like "print operators"? Also after making that change go into the users properties and change the adminCount=1 back to 0. Take a look at the below link for additional details.

http://seneej.com/2013/06/01/what-is-adminsdholder-object-how-to-reset-admincount-value/

Will.
0
 

Author Comment

by:YorkData
ID: 39708195
Hi Will,

I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.

http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx

This still reverts back and even re-adds the Domain Users back into a member of Administrators.

I've checked the other groups that Domain Users is a member of and have listed below

Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39708616
Hi,

I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.

AdminSDHolder, Protected Groups and SDPROP

Hope that helps :)
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:YorkData
ID: 39710751
I thought that AdminSDHolder was Security permissions protection rather than controlling group membership?

Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?

Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?

Thanks for your help.
0
 

Accepted Solution

by:
YorkData earned 0 total points
ID: 39714098
I finally found out what was causing the Domain Users to be re-added to Administrators.

In Group Policy there was a setting within Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups. This had an entry Setting the Administrators Group to have Doman Admins and Domain Users as members. Everytime group policy was updating it was re-adding Domain users and setting the admin things back!

Thanks for your input.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714138
Glad to have helped!
0
 

Author Closing Comment

by:YorkData
ID: 39723472
Other solutions were related to AdminSDHolder. It turns out the problem was group policy readding Members to security groups
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question