AwinishNaitik's Technical Blog

Lets continue the journey of learn & Share..

Understanding AdminSDHolder and Protected Groups

Posted by Awinish on March 1, 2011

If you have faced an issue, where you add a domain user to a protected group like administrators,domain admins, enterprise admins, schema admins, account operator etc. & after an hour or so membership disappears & you are scratching your head who did it. You start your findings & come to know its “AdminSDHolder” which reside in system partition reset the ACL to preserver the protected group from misuse & its built-in function. You can disable the automatic reset of permission on protected/built-in groups, but i would say you are inviting security flaws in your environment.

If you want to understand the details of AdminSDHolder & its working, take a look at below posted link. MVP John Policelli on has explained in-depth on his blog & i thought sharing it to readers on my blog too.

http://policelli.com/blog/archive/2009/11/06/understanding-adminsdholder-and-protected-groups/

http://policelli.com/blog/archive/2010/06/05/technet-magazine-article-adminsdholder-protected-groups-and-sdprop-finally-updated/

http://blog.joeware.net/2009/09/08/1693/

Five common questions about AdminSdHolder and SDProp

http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s