Home > Active Directory > What is ‘AdminSDHolder’ object & How to reset AdminCount value?

What is ‘AdminSDHolder’ object & How to reset AdminCount value?

What is ‘AdminSDHolder’ object & How to reset AdminCount value?

In this post, we will discuss about active directory ‘adminSDHholder’ object and method to reset AdminCount value?

Active Directory domain has an object called AdminSDHolder, which resides in the System container in the domain (CN=AdminSDHolder,CN=System,DN=domain,DN=com)

The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in or granted administrative accounts. The AdminCount attribute value will be changed from NULL to 1 when an account granted administrative permissions. The AdminCount attribute on that user account does not change when administrative permission accounts is disabled or revoked, the value 1 remains.

For example, an account might temporarily require elevated privileges to perform a specific task. In such cases, the AdminSDHolder task applies the security descriptor associated with the AdminSDHolder object but the problem is the adminCount attribute on that user account does not change; the value 1 remains

How reset AdminCount attribute value of orphaned accounts?

There are two steps involved in this activity

Step 1: First find which users and groups in a domain protected by AdminSDHolder protects?

Adfind.exe -b DC=domain,DC=com -f &(objectcategory=person)(samaccountname=*)(admincount=1)" –dn

Note: Replace DC=domain, DC=COM with the distinguished name of your domain. Adfind utility can download from here

Step 2: Run a script to reset the value.

Then please run script on Domain controller to reset non active administrative users attribute to NULL

The script can find it here http://support.microsoft.com/?id=817433

Advertisements
  1. john
    June 29, 2013 at 11:54 am

    An impressive share! I have just forwarded this onto a coworker who has been conducting a little homework on this. And he actually bought me dinner because I discovered it for him… lol. So let me reword this…. Thanks for the meal!! But yeah, thanks for spending some time to discuss this subject here on your website.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: