Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for March 1st, 2011

Understanding AdminSDHolder and Protected Groups

Posted by Awinish on March 1, 2011

If you have faced an issue, where you add a domain user to a protected group like administrators,domain admins, enterprise admins, schema admins, account operator etc. & after an hour or so membership disappears & you are scratching your head who did it. You start your findings & come to know its “AdminSDHolder” which reside in system partition reset the ACL to preserver the protected group from misuse & its built-in function. You can disable the automatic reset of permission on protected/built-in groups, but i would say you are inviting security flaws in your environment.

If you want to understand the details of AdminSDHolder & its working, take a look at below posted link. MVP John Policelli on has explained in-depth on his blog & i thought sharing it to readers on my blog too.

Five common questions about AdminSdHolder and SDProp


Posted in Directory Services | Tagged: | Leave a Comment »