AdminCount? Protected groups? SDPROP? ADConnect permmision issues?

Not related, right? Wrong!

I was working with a client to set up ADConnect and enable Exchange hybrid writeback environment.  A couple of days after the initial  sync, started running into permissions issues. A little background information: when you don’t use express setting during the ADConnect install you will need to use DSACLS to set up the correct security delegation on OU’s and AD objects (that’s another post).  Once this was completed and the OU’s selected, the initial sync was started and completed  without error.  After a couple of days, writeback errors began showing up in the logs.  It was strange.  Why would an account that was syncing fine on Monday now have errors on Wednesday? What changed with these accounts? I decided to find out if the accounts had anything in common. I dusted off some PowerShell scripts to generate user reports…

The scripts showed me they were not all members of the same group. They were in the same OU but in different sub OU’s. Some were in privileged groups, some were not. I noticed security was not enabled for inheritance on the user objects and they all had AdminCount=1. I was not sure why or what that meant or if it had anything at all to do with the permissions issues. The inheritance being disabled was a red flag, I was leaning to this as the cause. After digging  deeper,  I found that adding a user to a protected group sets the AdminCount attribute and the objects are then protected by AdminSDHolder  and security inheritance is disabled.

Protected Objects (Windows Server 2008 & Windows Server 2008 R2):

  • Administrators
  • Backup Operators
  • Domain Admins
  • Domain Controllers
  • Enterprise Admins
  • Krbtgt
  • Print Operators
  • Read-only Domain Controllers
  • Replicator
  • Schema Admins
  • Server Operators

I went back and reviewed the group membership and found  some of the users  were not currently a member of a protected group, but still had the AdminCount value set.  I was able to determine that if a user is removed from a protected group the AdminCount did not get cleared and inheritance was not enabled.

The Security Descriptor propagator (SDProp) process runs every 60 minutes on the PDC Emulator and re-stamps the object Access Control List (ACL) with the security permissions set on the AdminSDHolder.  AdminSDHolder is an object located in the System Partition in Active Directory (cn=adminsdholder,cn=system,dc=domain,dc=com) and is used as a security template for objects that are members of certain protected groups.

I questioned how many other users’ accounts have this same setting.  Back to Powershell…

#Get List of Protected Groups

$AdminGropp = Get-ADGroup -LDAPFilter “(adminCount=1)”

#Get List of Admin Users (Past and Present)
$AdminUsers = Get-ADUser -LDAPFilter “(adminCount=1)”

Now with a list of the groups and users with AdminCount, I need to get a current list of users in the protected groups.

$Admins = ForEach ($Group in $AdminGroup) {Get-ADGroupMember $Group | Where-Object {$_.ObjectClass -eq “User”}}

Now compare them to the list of users with AdminCount set to 1

#Create Empty Hash to store the results
$PGUSers = @{}
$OrphanUsers = @{}

#Compare $AdminUsers to $Admins and place in appropriate hash table
ForEach ($User in $AdminUsers){
If ($Admins -Match $User.Name){
$PGUsers.Add($User.Name, “Present”)
}
Else{
$OrphanUsers.Add($User.SamAccountName, “NotPresent”)
}}

Now we can clear the AdminCount on the Orphaned accounts and enable inheritance
#Clear AdminCount Attribute and enable inheritance

ForEach ($Orphan in $OrphanUsers){
$Orphan
$ADUser = Get-ADUser $Orphan
Set-ADUser $Orphan -Clear {AdminCount}
Set-Inheritance $ADUser
}

#Function to enable inheritance.

Function Set-Inheritance{
Param($ObjectPath)
$Acl = Get-ACL -path “AD:\$ObjectPath”
If ($Acl.AreAccessRulesProtected -eq $True){
$Acl.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -path “AD:\$ObjectPath”
}}

 

Once the orphaned admins were corrected the errors cleared up.

 

References used

Regarding AdminSDHolder
http://blogs.technet.com/b/asiasupp/archive/2006/11/16/adminsdholder1.aspx

AdminSDHolder, Protected Groups and SDPROP
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx

Delegated permissions are not available and inheritance is automatically disabled
http://support.microsoft.com/kb/817433

AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts
http://support.microsoft.com/kb/306398

By |2016-04-12T11:05:10+00:00March 17th, 2016|Azure, Office 365, PowerShell, Uncategorized|0 Comments

About the Author:

Chris Meyers
Consultant – Model Technology Solutions Chris has more than 20 years of industry experience. Prior to his work with Model, Chris worked for one of St. Louis’ largest law firms where his responsibilities ranged from implementing Citrix to automating desktop deployments to virtualizing the datacenter. He has also worked with Microsoft’s Rapid Deployment Program to bring new technologies to one of the three largest consumer credit reporting agencies in the US.

Model Technology

Let us help you get your end point and data center strategy on cruise control!  Ask about our Calibration Assessment.

CONTACT US

  • 12125 Woodcrest Executive Drive, Ste. 204 Creve Coeur, MO 63141
  • (314) 254-4138
  • sales@model-technology.com

RECENT TWEETS