Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory Permissions resetting - AdminSDHolder / AdminCount

Posted on 2013-12-10
7
Medium Priority
?
2,374 Views
Last Modified: 2013-12-17
We're having issues with an Windows Server 2008 R2 running AD & Exchange. Permissions are resetting due to AdminSDHolder.

I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.

I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
0
Comment
Question by:YorkData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39708168
Are there any other protected groups that domain users are part of like "print operators"? Also after making that change go into the users properties and change the adminCount=1 back to 0. Take a look at the below link for additional details.

http://seneej.com/2013/06/01/what-is-adminsdholder-object-how-to-reset-admincount-value/

Will.
0
 

Author Comment

by:YorkData
ID: 39708195
Hi Will,

I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.

http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx

This still reverts back and even re-adds the Domain Users back into a member of Administrators.

I've checked the other groups that Domain Users is a member of and have listed below

Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39708616
Hi,

I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.

AdminSDHolder, Protected Groups and SDPROP

Hope that helps :)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:YorkData
ID: 39710751
I thought that AdminSDHolder was Security permissions protection rather than controlling group membership?

Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?

Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?

Thanks for your help.
0
 

Accepted Solution

by:
YorkData earned 0 total points
ID: 39714098
I finally found out what was causing the Domain Users to be re-added to Administrators.

In Group Policy there was a setting within Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups. This had an entry Setting the Administrators Group to have Doman Admins and Domain Users as members. Everytime group policy was updating it was re-adding Domain users and setting the admin things back!

Thanks for your input.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714138
Glad to have helped!
0
 

Author Closing Comment

by:YorkData
ID: 39723472
Other solutions were related to AdminSDHolder. It turns out the problem was group policy readding Members to security groups
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
New style of hardware planning for Microsoft Exchange server.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question