So everyone knows what the AdminSDHolders does?? Okey lets do a short version of that too.

The AdminSDHolder is what is that then

Well windows has a few “protected” groups and users. If you are a member of one of these protected groups, Windows will do a few things every 60 minutes by default.

  • Set the AdminCount property of a user to 1
  • Disable inheritance on the user object
  • Set the rights on the user objects to a reduced set

This is an extremely simplified version. For more information please read in the Technet article AdminSDHolder.

Users and groups that by default are managed by the AdminSDHolder

Name Type
Administrator User
Account Operators Group
Administrators Group
Backup Operators Group
Cert Publishers Group
Domain Admins Group
Domain Controllers Group
Enterprise Admins Group
Krbtgt User
Print Operators Group
Read-only Domain Controllers Group
Replicator User
Schema Admins Group
Server Operators Group

Backing out

Many of the solutions on the internet does only enable the inheritance but there is a problem with that solution. Some rights are set by default on the object for instance the rights for Accounts Operators won’t come back by just enabling inheritance. So I wrote a small script that reads the default ACLs and then uses that information to correct the AD Object (User). You can download it at the Technet Script Center. Its really simple so its not more advanced than:

Reset-VirotADPermissions -DistinguishedName 'CN=Administrator,CN=Users,DC=virot,DC=eu'

Have fun