YorkData
asked on
Active Directory Permissions resetting - AdminSDHolder / AdminCount
We're having issues with an Windows Server 2008 R2 running AD & Exchange. Permissions are resetting due to AdminSDHolder.
I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.
I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.
I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
ASKER
Hi Will,
I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.
http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx
This still reverts back and even re-adds the Domain Users back into a member of Administrators.
I've checked the other groups that Domain Users is a member of and have listed below
Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.
http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx
This still reverts back and even re-adds the Domain Users back into a member of Administrators.
I've checked the other groups that Domain Users is a member of and have listed below
Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
Hi,
I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.
AdminSDHolder, Protected Groups and SDPROP
Hope that helps :)
I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.
AdminSDHolder, Protected Groups and SDPROP
Hope that helps :)
ASKER
I thought that AdminSDHolder was Security permissions protection rather than controlling group membership?
Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?
Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?
Thanks for your help.
Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?
Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?
Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to have helped!
ASKER
Other solutions were related to AdminSDHolder. It turns out the problem was group policy readding Members to security groups
http://seneej.com/2013/06/01/what-is-adminsdholder-object-how-to-reset-admincount-value/
Will.