Not related, right? Wrong!
I was working with a client to set up ADConnect and enable Exchange hybrid writeback environment. A couple of days after the initial sync, started running into permissions issues. A little background information: when you don’t use express setting during the ADConnect install you will need to use DSACLS to set up the correct security delegation on OU’s and AD objects (that’s another post). Once this was completed and the OU’s selected, the initial sync was started and completed without error. After a couple of days, writeback errors began showing up in the logs. It was strange. Why would an account that was syncing fine on Monday now have errors on Wednesday? What changed with these accounts? I decided to find out if the accounts had anything in common. I dusted off some PowerShell scripts to generate user reports…
The scripts showed me they were not all members of the same group. They were in the same OU but in different sub OU’s. Some were in privileged groups, some were not. I noticed security was not enabled for inheritance on the user objects and they all had AdminCount=1. I was not sure why or what that meant or if it had anything at all to do with the permissions issues. The inheritance being disabled was a red flag, I was leaning to this as the cause. After digging deeper, I found that adding a user to a protected group sets the AdminCount attribute and the objects are then protected by AdminSDHolder and security inheritance is disabled.
Protected Objects (Windows Server 2008 & Windows Server 2008 R2):
- Administrators
- Backup Operators
- Domain Admins
- Domain Controllers
- Enterprise Admins
- Krbtgt
- Print Operators
- Read-only Domain Controllers
- Replicator
- Schema Admins
- Server Operators
I went back and reviewed the group membership and found some of the users were not currently a member of a protected group, but still had the AdminCount value set. I was able to determine that if a user is removed from a protected group the AdminCount did not get cleared and inheritance was not enabled.
The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder. AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain protected groups.
I questioned how many other users’ accounts have this same setting. Back to Powershell…
#Get List of Protected Groups
$AdminGropp = Get-ADGroup -LDAPFilter “(adminCount=1)”
#Get List of Admin Users (Past and Present)
$AdminUsers = Get-ADUser -LDAPFilter “(adminCount=1)”
Now with a list of the groups and users with AdminCount, I need to get a current list of users in the protected groups.
$Admins = ForEach ($Group in $AdminGroup) {Get-ADGroupMember $Group | Where-Object {$_.ObjectClass -eq “User”}}
Now compare them to the list of users with AdminCount set to 1
#Create Empty Hash to store the results
$PGUSers = @{}
$OrphanUsers = @{}
#Compare $AdminUsers to $Admins and place in appropriate hash table
ForEach ($User in $AdminUsers){
If ($Admins -Match $User.Name){
$PGUsers.Add($User.Name, “Present”)
}
Else{
$OrphanUsers.Add($User.SamAccountName, “NotPresent”)
}}
Now we can clear the AdminCount on the Orphaned accounts and enable inheritance
#Clear AdminCount Attribute and enable inheritance
ForEach ($Orphan in $OrphanUsers){
$Orphan
$ADUser = Get-ADUser $Orphan
Set-ADUser $Orphan -Clear {AdminCount}
Set-Inheritance $ADUser
}
#Function to enable inheritance.
Function Set-Inheritance{
Param($ObjectPath)
$Acl = Get-ACL -path “AD:\$ObjectPath”
If ($Acl.AreAccessRulesProtected -eq $True){
$Acl.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -path “AD:\$ObjectPath”
}}
Once the orphaned admins were corrected the errors cleared up.
References used
Regarding AdminSDHolder
http://blogs.technet.com/b/asiasupp/archive/2006/11/16/adminsdholder1.aspx
AdminSDHolder, Protected Groups and SDPROP
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/kb/817433
AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts
http://support.microsoft.com/kb/306398
https://blogs.msdn.microsoft.com/muaddib/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects-using-powershell/