Solved

Active Directory Permissions resetting - AdminSDHolder / AdminCount

Posted on 2013-12-10
7
2,168 Views
Last Modified: 2013-12-17
We're having issues with an Windows Server 2008 R2 running AD & Exchange. Permissions are resetting due to AdminSDHolder.

I've found that Domain Users is a member of the Administrators group, when I remove Domain Users it reappears after an hour or so? I've tried restting the AdminCoutn in Attribute Editor back to 0 or <not set> but it just keeps adding the Domain Users group back into Administrators.

I've looked at the following but everything I seem to do it just re-adds the Domain Users group back into Administrators.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/41285a85-28ac-4496-ab57-d737eed3e70f/admin-count
0
Comment
Question by:YorkData
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39708168
Are there any other protected groups that domain users are part of like "print operators"? Also after making that change go into the users properties and change the adminCount=1 back to 0. Take a look at the below link for additional details.

http://seneej.com/2013/06/01/what-is-adminsdholder-object-how-to-reset-admincount-value/

Will.
0
 

Author Comment

by:YorkData
ID: 39708195
Hi Will,

I've followed the below guide by removing the Domain Users group from Administrators and then running the two scripts to tick inheritance and also reset the AdminCount back to 0. It just seems to revert it all back again.

http://blogs.dirteam.com/blogs/kapes/archive/2005/11/24/158.aspx

This still reverts back and even re-adds the Domain Users back into a member of Administrators.

I've checked the other groups that Domain Users is a member of and have listed below

Administrators - Which I keep trying to remove.
CERTSVC_DCOM_ACCESS
Users
0
 
LVL 9

Expert Comment

by:VirastaR
ID: 39708616
Hi,

I guess the below information will give some headsup on the issue you are facing and I guess that its re-adding membership to Administrators as it is a protected group as per the below article.

AdminSDHolder, Protected Groups and SDPROP

Hope that helps :)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:YorkData
ID: 39710751
I thought that AdminSDHolder was Security permissions protection rather than controlling group membership?

Surely AdminSD shouldn't re-add Domain Users into the Administrators group Members? Shouldn't it just change the Security permissions back?

Does anyone know a way of excluding the Administrators group from AdminSD to see if that is whats causing the security groups to revert?

Thanks for your help.
0
 

Accepted Solution

by:
YorkData earned 0 total points
ID: 39714098
I finally found out what was causing the Domain Users to be re-added to Administrators.

In Group Policy there was a setting within Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups. This had an entry Setting the Administrators Group to have Doman Admins and Domain Users as members. Everytime group policy was updating it was re-adding Domain users and setting the admin things back!

Thanks for your input.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39714138
Glad to have helped!
0
 

Author Closing Comment

by:YorkData
ID: 39723472
Other solutions were related to AdminSDHolder. It turns out the problem was group policy readding Members to security groups
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question