John Policelli's Blog

Covering Identity and Access Solutions, Unified Communications, Collaboration, and Server Infrastructure.

  • Subscribe

  • SAMS Active Directory Domain Services 2008 How-To

    SAMS Active Directory 20008 How-To

  • MCITP Self-Paced Training Kit (Exam 70-647): Windows ServerĀ® Enterprise Administration

    MCITP Self-Paced Training Kit (Exam 70-647): Windows ServerĀ® Enterprise Administration

  • Disclaimer

    All data and information provided on this site is for informational purposes only. The author makes no representations as to accuracy, completeness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

Understanding AdminSDHolder and Protected Groups

Posted by John Policelli on 6th November 2009

NOTE: I revised this article to fix some mistakes and to include new content from Windows Server 2008 R2.

Active Directory has built-in processes that exist to secure users that are members of privileged groups. These processes have been around for quite some time, but Active Directory administrators still get stumped by them regularly. What follows, is a updated look at AdminSDHolder, Protected Groups, and SDPROP. Windows Server 2008 R2 specific content has been added.

This article will provide you with the following information:

  • Overview
  • How AdminSDHolder Works
  • Default ACL on the AdminSDHolder Object in Windows Server 2008 R2
  • Default Protected Groups and Users
  • Modifying How Often the AdminSDHolder Background Process Runs
  • How to Determine if a User or Group is Protected by AdminSDHolder
  • Orphaned AdminSDHolder Objects
  • Security Descriptor Propagator
  • How to Force AdminSDHolder to Run
  • Additional Resources

Read the rest of this entry »

Tags: , , , , , , , ,
Posted in AD DS | 3 Comments »