Re: adminCount schema attribute

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

So did I understand your article correctly that the
way a user is protected is to add them to a protected group?

No! That is NOT correct!

The term "protection" means that the group and its members are protected from changes when delegation has been configured on some OU that contains the group and/or its members. Although this is true the members of course inherit the permissions assigned to the protected groups.

It is better NOT to use the default groups like backup operator, server operator, etc. The exception to this are the administrators and the domain admins groups.
Create your own groups and add members and assign permissions to those custom created groups

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"JayDee" <dopamine@xxxxxxxx> wrote in message news:500a2d2f-9444-4171-84d1-ebe4fc295324@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Nov 18, 2:33 pm, "Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByD...@xxxxxxxxx> wrote:
see:http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspxhttp://blogs.dirteam.com/blogs/jorge/archive/2005/11/16/86.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)-->http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)-->http://blogs.dirteam.com/blogs/jorge/rss.aspx
--------------------------------------------------------------------------- ---------------
* How to ask a question -->http://support.microsoft.com/?id=555375
--------------------------------------------------------------------------- ---------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------- ---------------
#################################################
#################################################
--------------------------------------------------------------------------- ---------------"JayDee" <dopam...@xxxxxxxx> wrote in message

news:ea33eb8c-31f2-486f-be2f-3d1c4e5f3389@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

>I was under the impression this attribute was incremented when a user
> account had administrative privileges to keep users with loser rights
> from being able to edit those accounts. So I guess my first question
> is - is that correct?

> Here are some things I noticed:

> If adminCount is set to 1, admins with "change password" rights cannot
> change passwords on these accounts. Setting the attribute to <NOT SET>
> seems to remedy this problem.

> It seems that accounts randomly have this attribute set to "1" - even
> though they've never been an admin.

> Once I reset the attribute to <NOT SET>, I have not found a way to
> make it increment again.

> Can someone please explain this strange attribute to me? It seems to
> evade my understanding...

> Thanks!

> - JmD

Hey thanks for those links Jorge. I now understand that the adminCount
attribute isn't used by the internal AdminSDHolder process, it's just
something else that changes as a result of adding someone to a
protected group. So did I understand your article correctly that the
way a user is protected is to add them to a protected group? And the
thing that makes them unable to be edited or changed once removed is
that inheritence is turned off - and that turning it back on must be a
manual process.

But I'm pretty sure that on some occasions resetting the adminCount to
<NOT SET> has been enough to allow "lower" admins to edit the account.
Also, I noticed that when adding a user to Domain Admins, I don't
always see the adminCount attribute change... any ideas regarding
those two things?

Thanks for the info!

- JD


.

Relevant Pages

  • Re: Protected static members, abstract classes, object composition vs. subclassing
    ... Protected is public to some objects and private to others. ... > to public object members. ... Or not, in ECMAScript, where no - caller - property is defined. ... > protection as I said in the original post. ...
    (comp.lang.javascript)
  • Re: News Release
    ... members of militias or volunteer corps forming part of such armed forces. ... customs of war. ... The present Convention shall apply to the persons referred to in Article ... the protection of the present Convention until such time as their status ...
    (comp.security.firewalls)
  • Re: Question on member accessibility
    ... reason why this access is denied! ... members referenced by that variable. ... protection for sub-classes that are otherwise unrelated to "SubB". ... JComponent sub-class that could retrieve a Graphics instance used to paint   ...
    (comp.lang.java.programmer)
  • Re: Attn: Fran - Ref Military Lawyers
    ... Guantanamo are not eligible for Geneva Convention protection. ... about the eligibility for GC protection of armed men in civilian ... Members of the armed forces of a Party to the conflict as well as members ...
    (misc.rural)
  • Re: If Obama Supports The Second Amendment....
    ... associated capacity, have established or submitted themselves to ... and the protection of their individual as well as their collective ... How do you have a collective right that the members of the body ... there are "collective rights?" ...
    (talk.politics.guns)