Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 2007

Demystifying the AdminSDHolder Object

Avoid the problem of disappearing AD permissions
From the June 2007 Edition
of Windows IT Pro
Tony Murray
Feature
InstantDoc #95834
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Removing Accounts from Protected Groups
In a typical AD environment, administrators regularly move accounts in and out of protected groups. For example, an account might temporarily require elevated privileges to perform a specific task. In such cases, the AdminSDHolder task applies the security descriptor associated with the AdminSDHolder object (as described earlier)—but doesn't revert to the previous security descriptor when the account is removed from the protected group. Additionally, the AdminSDHolder task doesn't remove the adminCount attribute value of 1. In my opinion, this behavior is less than ideal because it leaves behind a security descriptor that has permissions inheritance disabled and an adminCount attribute value that's potentially confusing if used for LDAP queries. I'd prefer it if the AdminSDHolder task could tidy up after itself, but alas, this isn't the case in the current version of Windows.

Determining Which Objects the AdminSDHolder Task Has Modified
The most common effective method to determine which accounts and groups have been touched by the AdminSDHolder task is to look for Event ID 684 account-management audit entries in the Security event log on the PDC emulator DC. Figure 5 shows an example of such a log entry. Note that you must have account-management auditing enabled for the system to log the required events. (For more information about enabling AD auditing, see "Monitoring AD Changes," September 2003, InstantDoc ID 39769.)

As an alternative method, you can log security descriptor propagation (SDPROP) activity. The AdminSDHolder task and SDPROP are unrelated, but whenever a Security Descriptor (SD) update occurs, SDPROP attempts to propagate the changes to child objects. In other words, SDPROP informational events provide clues as to what objects have been touched by the AdminSDHolder task, but be aware that SDPROP potentially logs other, unrelated activity.

SDPROP doesn't log informational events in the Directory Service (DS) event log unless you increase the level of diagnostics logging from the default. To enable SDPROP informational events, again on the PDC emulator DC, set the value of 9 Internal Processing on the following registry subkey to 5 (decimal): HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\NTDS\Diagnostics. After you've enabled the increased logging level, look for Event IDs 1257 and 1258 in the DS event log with NTDS SDPROP as the source. The events will contain the name of the objects updated by SDPROP. Note that increasing the logging level generates a large number of events, so you should do so only to troubleshoot a particular problem, then decrease the logging level when you're finished troubleshooting.

A third method is to issue an LDAP query for all objects within the domain that have an adminCount attribute value of 1. However, this method is unreliable for the reasons I've already mentioned—that is, the fact that the AdminSDHolder task doesn't remove the attribute value when the object is no longer a member of one of the protected groups. In the following example, I use ADFind (an excellent freeware command-line tool from joeware .net, http://www.joeware.net) to run the LDAP query. The query searches the default directory partition (the domain partition) and returns all user objects that have an adminCount attribute value of 1. (The query wraps to multiple lines because of space constraints, but you should type it on one line.) 

adfind -default -f "(&(objectClass=user)
  (objectCategory=Person)(adminCount=1))"

Avoid the Pitfalls
The AdminSDHolder task leverages the security descriptor associated with the AdminSDHolder container object to protect certain AD objects from compromise. Although this feature is necessary from a security perspective, it can cause confusion for administrators in certain delegation scenarios. Understanding AdminSDHolder's behavior can help administrators avoid the pitfalls and also help with troubleshooting. You can also preempt common mistakes by following delegation best practices and implementing secondary accounts for administrative purposes.

End of Article

   Previous  1  [2]  Next  


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path Windows IT Pro Resources
"Monitoring AD Changes"

"Granting Permissions on AD User Object Properties"

"Access Denied: Returning to a Domain's Default Permissions"

"Windows 2003: Active Directory Administration Essentials (Windows IT Pro eBook)"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

How can I stop and start services from the command line?

...

Where is Microsoft NetMeeting in Windows XP?

...
Active Directory (AD) Whitepapers Sustainable Compliance: How to reconnect compliance, security and business goals

Managing Unix/Linux with Microsoft System Center Operations Manager 2007 Cross Platform Extensions Beta

Addressing the Insider Threat with NetIQ Security and Administration Solutions
Related Events How IE7 & The New Extended Validation SSL Certificates Impact Your Site

Concrete Ways to Make Sure Your SharePoint Deployment Doesn't Blow Up

Securely Extend SharePoint to the Extranet

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Register for Orion NPM v9 - Evaluation
Affordable, easy-to-use network performance management with SolarWinds Orion – Free Trial!

Want a Hardware-Independent Image?
Binary Research, the Ghost people, shows you how to clone with 1!

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing