Re: AD User Objects not retaining security

Hello,

It is a good bet that you are running up against "adminsdholder". Here is a
link to learn about it:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

Short summary:
Some accounts are "protected". An account becomes protected if it is a
member of a key group, such as one of the builtin administrator groups.
There is an object in Active Directory called the adminsdholder. It is a
placeholder object in AD that has a set of permissions on it. This is your
default permissions set for protected objects. There is a process that runs
regularly on the domain that looks for protected accounts and makes sure
their permissions are set to the permissions on the adminsdholder object.

I hope this information helps.

--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com

"Jeff" <Jeff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A5D690A9-BF34-462C-8130-9267A31C8730@xxxxxxxxxxxxxxxx
Salutations,

I've run across a strange issue in a Windows 2000 Native AD environment.
There are two Domain Controllers, one is Windows 2000, the other is Server
2003. Server 2003 hosts Exchange 2003.

The issue began when the 2000 DC was hosting all of the FSMO roles. When
new security was added to the security tab of an AD user object, it would
disappear after a period of time, leaving only the SID behind. We don't
have
an exact time frame, but it seems to be within an hour.

We went through several layers of troubleshooting, and we've eventually
moved all of the FSMO roles to the 2003 server. Now, the same error seems
to
be occuring, but the Security descriptors are completely removed, no SID
is
left behind.

I've checked replication with replmon, and ran several dcdiag tests, and
nothing seems out of the ordinary. The only thing I've not explored
deeply
is the AdminSDholder object, as described in
http://support.microsoft.com/?id=232199.

I suppose I'm looking for any thoughts as to what else could be causing
this
strange issue.


.

Relevant Pages

  • Re: Administrator/User security issues
    ... i have setup all the accounts, ... folders for testing the security. ... permissions but the admin. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Delegation - Password Reset - Access Denied
    ... If you go to properties of an AD object, select the security tab and click ... on advanced you should be on the permissions tab. ... WARNING - Any implicit permissions defined will be lost and reset back to ... Accounts in the OU and found that the BldgAdmins group was not listed. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Search for accounts based on advanced security permissions
    ... to query the security attributes and to change permissions and security ... Search for accounts based on advanced security permissions ... don't think there is any easy way to query for all users. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Security setup does not allow import of tables
    ... When you click on the menu option Tools> Security> User and Group ... Permissions at the bottom of the screen does it show you logged in as the ... | new system database that has a unique Name, Organization, ... In the User and Group Accounts dialog box, ...
    (microsoft.public.access.security)
  • Re: AD object security settings getting erased
    ... In this case it is SBS 2003 so there is a pre-defined Domain Power User ... The adminCount value is 1 on both of these accounts. ... noticed that the SELF security settings had been reset back to blank, ... adminSDHolder object should ever be interacting with these user accounts. ...
    (microsoft.public.win2000.active_directory)
Quantcast