Question about admincount and how it affects users and groups

Admincount =1 for users and groups

From looking online I see that AD objects have an attribute called “Admin Count”. The default value is for most objects. Changing the value to “1”, flags the account as protected by AdminSDHolder.

By adding a user to an administrative AD group. You change the value to “1”

We have 300 users with Admincount of 1 and 14 groups with AdminCount of 1, can anyone outline disadvantages of this and best way to remedy it?

Am  i right in saying that it interferes with permissions ACL for groups with a lower administrator setting i.e. Helpdesk etc
LVL 1
Indie101Asked:
Who is Participating?
 
LearnctxEngineerCommented:
To clear it, just set the adminCount from 1 to 0 for the users you want to clear it on. In theory you can just do this for all accounts, AD will set the value back to 1 within 60 minutes if the user is still in a privileged group.

Get-ADUser -Filter {AdminCount -eq 1} -properties AdminCount | Set-ADUser -Clear adminCount

Open in new window


Though I would suggest targetting the specific users who no longer hold any privileged groups.
1
 
MaheshArchitectCommented:
The impact of admincount value being set to 1 on security principal (users and groups) is whatever NTFS acl you set on these objects will be restored to default value to match AdminsDHolder object in system container every hour by design to avoid permanent changes to ACL and most importantly, it removes object inheritance bit from NTDS ACL, impact is these accounts did not listen to delegated administration, account movement within OUs etc
Hence if you remove user from protected groups, you must manually set admincount value to "0"
And there is no reason you should keep that value to 1 as it won't get any benefit

https://support.microsoft.com/en-in/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical
2
 
LearnctxEngineerCommented:
Am  i right in saying that it interferes with permissions ACL for groups with a lower administrator setting i.e. Helpdesk etc

This is by design and working as intended. So to answer you question, no it is certainly not interfering with the helpdesk. No one on a helpdesk should ever be able to modify a privileged account in the first place ... because they're the helpdesk.

We have 300 users with Admincount of 1 and 14 groups with AdminCount of 1, can anyone outline disadvantages of this and best way to remedy it?

Why do you have so many users in privileged groups? Do all 300 of these users need to be in a privileged AD group? If these are users who have been removed from privileged groups, then you need to clean up after yourself and set their adminCount back to 0.

The remedy is proper delegation of rights (again see the Microsoft wiki for a basic guide to Active Directory delegation). There is almost nothing in AD that cannot be delegated if you put the effort in. It sounds like you need to audit your environment and clean up the access your people have.
1
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Indie101Author Commented:
Thanks yes I am been asked to a do AD documentation for a third party. What is the best way to clear Admincount for these groups?

Are there any things i would need to check before making those changes?

Looking through and taking examples of users who have admincount of 1, is this because they are members of nested privileged groups?
 

Thanks again
0
 
Indie101Author Commented:
By clearing it could it prevent users for that time period (60 mins) of obtaining access

Thanks will check it with the team as dont want to change anything without including them
0
 
MaheshArchitectCommented:
You can try below code:
The code will clear admincount value if exists for accounts which are not member of high privileged groups like domain admins, enterprise admins, schema admins and administrators
U can add more protected groups if wanted to
Replace DN of groups with yours,
working fine within my lab

$ADUsers = Get-ADUser -LDAPFilter "(!(memberOf=CN=Domain Admins,CN=Users,DC=ExchLabs,DC=local))(!(memberOf=CN=Enterprise Admins,CN=Users,DC=ExchLabs,DC=local))(!(memberOf=CN=Schema Admins,CN=Users,DC=ExchLabs,DC=local))(!(memberOf=CN=administrators,CN=Builtin,DC=ExchLabs,DC=local))" -Properties adminCount, memberOf | ? { ($_.adminCount -eq '1') -and ($_.sAMAccountName -ne 'krbtgt') }

foreach ($ADuser in $ADusers) {

Set-ADUser $ADuser.SamAccountName -Clear "adminCount"

}

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.