So everyone knows what the AdminSDHolders does?? Okey lets do a short version of that too.
The AdminSDHolder is what is that then
Well windows has a few “protected” groups and users. If you are a member of one of these protected groups, Windows will do a few things every 60 minutes by default.
- Set the
AdminCount
property of a user to 1 - Disable inheritance on the user object
- Set the rights on the user objects to a reduced set
This is an extremely simplified version. For more information please read in the Technet article AdminSDHolder.
Users and groups that by default are managed by the AdminSDHolder
Name | Type |
---|---|
Administrator | User |
Account Operators | Group |
Administrators | Group |
Backup Operators | Group |
Cert Publishers | Group |
Domain Admins | Group |
Domain Controllers | Group |
Enterprise Admins | Group |
Krbtgt | User |
Print Operators | Group |
Read-only Domain Controllers | Group |
Replicator | User |
Schema Admins | Group |
Server Operators | Group |
Backing out
Many of the solutions on the internet does only enable the inheritance but there is a problem with that solution. Some rights are set by default on the object for instance the rights for Accounts Operators won’t come back by just enabling inheritance. So I wrote a small script that reads the default ACLs and then uses that information to correct the AD Object (User). You can download it at the Technet Script Center. Its really simple so its not more advanced than:
Reset-VirotADPermissions -DistinguishedName 'CN=Administrator,CN=Users,DC=virot,DC=eu'
Have fun