Awinish's Technical Blog

Lets continue the journey of learning & Share.!!

Archive for March 1st, 2011

Understanding AdminSDHolder and Protected Groups

Posted by Awinish on March 1, 2011


If you have faced an issue, where you add a domain user to a protected group like administrators,domain admins, enterprise admins, schema admins, account operator etc. & after an hour or so membership disappears & you are scratching your head who did it. You start your findings & come to know its “AdminSDHolder” which reside in system partition reset the ACL to preserver the protected group from misuse & its built-in function. You can disable the automatic reset of permission on protected/built-in groups, but i would say you are inviting security flaws in your environment.

If you want to understand the details of AdminSDHolder & its working, take a look at below posted link. MVP John Policelli on has explained in-depth on his blog & i thought sharing it to readers on my blog too.

http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/

http://policelli.com/blog/archive/2010/06/05/technet-magazine-article-adminsdholder-protected-groups-and-sdprop-finally-updated/

http://blog.joeware.net/2009/09/08/1693/

Five common questions about AdminSdHolder and SDProp

http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

 

Advertisements

Posted in Directory Services | Tagged: | Leave a Comment »