Solved

Active Directory Permissions resetting - AdminSDHolder / AdminCount

Posted on 2013-12-10
7
2,285 Views
Last Modified: 2013-12-17
We're having issues with an Windows Server 2008 R2 running AD & Exchange. Permissions are resetting due to AdminSDHolder.

I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.

I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
0
Comment
Question by:YorkData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39708168
Are there any other protected groups that domain users are part of like "print operators"? Also after making that change go into the users properties and change the adminCount=1 back to 0. Take a look at the below link for additional details.

http://seneej.com/2013/06/01/what-is-adminsdholder-object-how-to-reset-admincount-value/

Will.
0
 

Author Comment

by:YorkData
ID: 39708195
Hi Will,

I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.

http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx

This still reverts back and even re-adds the Domain Users back into a member of Administrators.

I've checked the other groups that Domain Users is a member of and have listed below

Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39708616
Hi,

I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.

AdminSDHolder, Protected Groups and SDPROP

Hope that helps :)
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:YorkData
ID: 39710751
I thought that AdminSDHolder was Security permissions protection rather than controlling group membership?

Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?

Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?

Thanks for your help.
0
 

Accepted Solution

by:
YorkData earned 0 total points
ID: 39714098
I finally found out what was causing the Domain Users to be re-added to Administrators.

In Group Policy there was a setting within Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups. This had an entry Setting the Administrators Group to have Doman Admins and Domain Users as members. Everytime group policy was updating it was re-adding Domain users and setting the admin things back!

Thanks for your input.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714138
Glad to have helped!
0
 

Author Closing Comment

by:YorkData
ID: 39723472
Other solutions were related to AdminSDHolder. It turns out the problem was group policy readding Members to security groups
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question