Question about admincount and how it affects users and groups

Admincount =1 for users and groups

From looking online I see that AD objects have an attribute called “Admin Count”. The default value is for most objects. Changing the value to “1”, flags the account as protected by AdminSDHolder.

By adding a user to an administrative AD group. You change the value to “1”

We have 300 users with Admincount of 1 and 14 groups with AdminCount of 1, can anyone outline disadvantages of this and best way to remedy it?

Am  i right in saying that it interferes with permissions ACL for groups with a lower administrator setting i.e. Helpdesk etc
LVL 1
Indie101Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
The impact of admincount value being set to 1 on security principal (users and groups) is whatever NTFS acl you set on these objects will be restored to default value to match AdminsDHolder object in system container every hour by design to avoid permanent changes to ACL and most importantly, it removes object inheritance bit from NTDS ACL, impact is these accounts did not listen to delegated administration, account movement within OUs etc
Hence if you remove user from protected groups, you must manually set admincount value to "0"
And there is no reason you should keep that value to 1 as it won't get any benefit

https://support.microsoft.com/en-in/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical
2
LearnctxEngineerCommented:
Am  i right in saying that it interferes with permissions ACL for groups with a lower administrator setting i.e. Helpdesk etc

This is by design and working as intended. So to answer you question, no it is certainly not interfering with the helpdesk. No one on a helpdesk should ever be able to modify a privileged account in the first place ... because they're the helpdesk.

We have 300 users with Admincount of 1 and 14 groups with AdminCount of 1, can anyone outline disadvantages of this and best way to remedy it?

Why do you have so many users in privileged groups? Do all 300 of these users need to be in a privileged AD group? If these are users who have been removed from privileged groups, then you need to clean up after yourself and set their adminCount back to 0.

The remedy is proper delegation of rights (again see the Microsoft wiki for a basic guide to Active Directory delegation). There is almost nothing in AD that cannot be delegated if you put the effort in. It sounds like you need to audit your environment and clean up the access your people have.
1
Indie101Author Commented:
Thanks yes I am been asked to a do AD documentation for a third party. What is the best way to clear Admincount for these groups?

Are there any things i would need to check before making those changes?

Looking through and taking examples of users who have admincount of 1, is this because they are members of nested privileged groups?
 

Thanks again
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LearnctxEngineerCommented:
To clear it, just set the adminCount from 1 to 0 for the users you want to clear it on. In theory you can just do this for all accounts, AD will set the value back to 1 within 60 minutes if the user is still in a privileged group.

Get-ADUser -Filter {AdminCount -eq 1} -properties AdminCount | Set-ADUser -Clear adminCount

Open in new window


Though I would suggest targetting the specific users who no longer hold any privileged groups.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Indie101Author Commented:
By clearing it could it prevent users for that time period (60 mins) of obtaining access

Thanks will check it with the team as dont want to change anything without including them
0
MaheshArchitectCommented:
You can try below code:
The code will clear admincount value if exists for accounts which are not member of high privileged groups like domain admins, enterprise admins, schema admins and administrators
U can add more protected groups if wanted to
Replace DN of groups with yours,
working fine within my lab

$ADUsers = Get-ADUser -LDAPFilter "(!(memberOf=CN=Domain Admins,CN=Users,DC=ExchLabs,DC=local))(!(memberOf=CN=Enterprise Admins,CN=Users,DC=ExchLabs,DC=local))(!(memberOf=CN=Schema Admins,CN=Users,DC=ExchLabs,DC=local))(!(memberOf=CN=administrators,CN=Builtin,DC=ExchLabs,DC=local))" -Properties adminCount, memberOf | ? { ($_.adminCount -eq '1') -and ($_.sAMAccountName -ne 'krbtgt') }

foreach ($ADuser in $ADusers) {

Set-ADUser $ADuser.SamAccountName -Clear "adminCount"

}

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.