Tuesday, 24 February 2015

Active Directory : adminCount attribute and AdminSDHolder

The Active Directory attribute adminCount is used to indicate the protection status of an object. The value of this attribute is set by the system when an object is added to an administrative group/protected group.

Does setting Admincount to 0 revokes protected status of users who are member of protected AD group ?

No, Admincount will automatically revert as 1 by AdminSDHolder (if you edit manually ). By default the process called SDPROP (Security Descriptor Propagation ) is automatically activated every 60 minutes on the PDC emulator of the Active Directory domain and update adminCount value of every security objects by AdminSDHolder code.

What is AdminSDHolder

Active Directory domain has an object called AdminSDHolder, which resides in the System container in the domain (CN=AdminSDHolder,CN=System,DN=domain,DN=com). The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in or granted administrative accounts. The AdminCount attribute value will be changed from NULL to 1 when an account granted administrative permissions. The AdminCount attribute on that user account does not change when administrative permission accounts is disabled or revoked, the value 1 remains.

The following Active Directory Powershell cmdlet command detect which users and groups are affected by Protected Group status.

List AD Protected Users:
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter "(admincount=1)" | Select Name,DistinguishedName
List AD Protected Groups:
Import-Module ActiveDirectory
Get-ADGroup -LDAPFilter "(admincount=1)" | Select Name,DistinguishedName
Default protected administrative groups in Active Directory:
  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Cert Publishers
  • Domain Controllers
  • Read-Only Domain Controllers
  • Replicator


No comments:

Post a Comment