Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2481
  • Last Modified:

Active Directory Permissions resetting - AdminSDHolder / AdminCount

We're having issues with an Windows Server 2008 R2 running AD & Exchange. Permissions are resetting due to AdminSDHolder.

I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.

I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
0
YorkData
Asked:
YorkData
  • 4
  • 2
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
Are there any other protected groups that domain users are part of like "print operators"? Also after making that change go into the users properties and change the adminCount=1 back to 0. Take a look at the below link for additional details.

http://seneej.com/2013/06/01/what-is-adminsdholder-object-how-to-reset-admincount-value/

Will.
0
 
YorkDataAuthor Commented:
Hi Will,

I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.

http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx

This still reverts back and even re-adds the Domain Users back into a member of Administrators.

I've checked the other groups that Domain Users is a member of and have listed below

Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
0
 
VirastaRCommented:
Hi,

I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.

AdminSDHolder, Protected Groups and SDPROP

Hope that helps :)
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
YorkDataAuthor Commented:
I thought that AdminSDHolder was Security permissions protection rather than controlling group membership?

Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?

Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?

Thanks for your help.
0
 
YorkDataAuthor Commented:
I finally found out what was causing the Domain Users to be re-added to Administrators.

In Group Policy there was a setting within Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups. This had an entry Setting the Administrators Group to have Doman Admins and Domain Users as members. Everytime group policy was updating it was re-adding Domain users and setting the admin things back!

Thanks for your input.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Glad to have helped!
0
 
YorkDataAuthor Commented:
Other solutions were related to AdminSDHolder. It turns out the problem was group policy readding Members to security groups
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now