Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


June 2007

Demystifying the AdminSDHolder Object

Avoid the problem of disappearing AD permissions
From the June 2007 Edition
of Windows IT Pro
Tony Murray
Feature
InstantDoc #95834
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Did you ever set permissions on Active Directory (AD) objects and have those permissions mysteriously disappear shortly afterward? Most administrators involved in AD support will have experienced this odd behavior at some point. What might be causing it? Gremlins in the network? A rogue administrator? Actually, it's more likely to be the AdminSDHolder object, a little-known feature of AD designed to protect certain privileged group and user objects from compromise. We'll look at the role of AdminSDHolder and techniques you can use to modify its behavior and avoid common pitfalls.

An Example of the Problem
To illustrate, let's take a simple example of the AdminSDHolder object in action. Joe works on the IT service desk and has, via membership of the Service Desk group, the delegated permission to reset passwords for all users in an organizational unit (OU) named Wellington Users. When Joe tries to change the password for user James Smith, he receives an Access is Denied error. Being reasonably tech-savvy, Joe opens the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to compare James Smith's security settings, which Figure 1 shows, with the settings of Don Murphy, whose password he can reset, as Figure 2 shows.

On Don Murphy's security settings, Joe sees that the Service Desk group has permission to reset passwords. In contrast, this permission is absent from James Smith's security settings, which also show that permissions inheritance is blocked. Thinking this somewhat strange, Joe asks one of the AD administrators to change James Smith's security settings to match those of Don Murphy. Joe goes to lunch and comes back to find a note from the AD guy to say that the security settings have been changed as requested. Joe tries again to reset James Smith's password and, to his frustration, gets the same Access is Denied error. He storms off to shout at the AD admin, who tells Joe that he indeed reset James Smith's security settings. So what actually happened?

Closer inspection of James Smith's account reveals that he's a member of the Domain Admins group. AD protects certain privileged groups and accounts from being compromised, including the Domain Admins group. Table 1 lists these groups and accounts. The protection extends to all members of these groups, including nested group membership. In our example, it would be poor security for Joe to be able to reset the password for an account that's a member of Domain Admins, as he could easily then use the account himself, make his own account a member of Domain Admins, create a new account with elevated privileges, or perform similar tasks. From a security perspective, it clearly makes sense to have some type of built-in protection in place.

What's AdminSDHolder?
Many people tend use the term AdminSDHolder to refer to the process by which AD protects privileged groups and accounts, but it's really just the name of an AD object. The AdminSDHolder object is a container object in the domain directory partition at CN=AdminSDHolder, CN=System,<Domain DN>—for example, CN=AdminSDHolder, CN=System,DC=north, DC=com.

The object itself does nothing special but acts as a place-holder for a restricted security descriptor. Figure 3 shows an example of the AdminSDHolder object's security descriptor. Every hour, a background SAM task runs on the domain controller (DC) that holds the PDC emulator Flexible Single-Master Operation (FSMO) roles. This task is, among other things, responsible for checking whether the security descriptors of the protected groups and users match those of the AdminSDHolder object. If the descriptors differ, the AdminSDHolder task uses the AdminSDHolder's security descriptor to overwrite whatever permissions have been set on the problematic group or user. In our earlier example, the AdminSDHolder task replaced the inherited permissions that the AD administrator had reset on James Smith's account, which resulted in the confusion.

The AdminSDHolder task also sets the user's or group's adminCount attribute from <Not Set> to a value of 1. Figure 4 shows an example of James Smith's attributes viewed through the ADSI Edit tool.

You can change the security descriptor associated with the AdminSDHolder object, although I don't advise doing so. Keep in mind that this change updates all protected users and groups with the new security descriptor. Don't make such as change lightly; a poorly planned configuration can leave your AD environment open to compromise. For example, assigning the Domain Users group full-control permissions on the AdminSDHolder object would effectively allow anyone in the domain to potentially elevate their group membership to Domain Admins.

Avoiding Resetting of Security Descriptors
As a best practice, I recommend that you don't make standard user accounts members of the groups protected by the AdminSDHolder object. By "standard" accounts, I mean those you typically use to log on to the domain from a workstation to perform everyday tasks, such as creating Microsoft Word documents or working with email. If a user needs to perform administrative tasks, assign the user a second account for this purpose. By doing so, you can avoid scenarios like the one I described at the beginning of the article. To remedy the problem, you could assign James Smith an additional account for administrative purposes, make his new account a member of Domain Admins, and place the account in a separate OU, to which the Service Desk group has no delegated permissions.

Changing the AdminSDHolder Task Schedule
Depending on your environment, you might decide to tighten security by running the AdminSDHolder task more frequently. You can do so by modifying the registry, as follows. (Note that the usual warnings about modifying the registry apply.)

  1. Locate the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\NTDS\ Parameters subkey.
  2. If this subkey isn't already present, add a new DWORDvalue named AdminSDProtectFrequency and set the value (decimal) in seconds. The lowest possible setting is one minute (60 seconds), and the maximum is 120 minutes (7,200 seconds).

You should be aware that the AdminSDHolder task is resource intensive, so think carefully before you decide to modify the default setting. I've noticed that the task tends to spike the CPU on the PDC emulator DC whenever it runs. Also note that you can't force the AdminSDHolder task to run manually.

   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path Windows IT Pro Resources
"Monitoring AD Changes"

"Granting Permissions on AD User Object Properties"

"Access Denied: Returning to a Domain's Default Permissions"

"Windows 2003: Active Directory Administration Essentials (Windows IT Pro eBook)"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...

The Desktop tab is missing from the Display Properties in Windows XP?

...
Active Directory (AD) Whitepapers An Introduction to Windows Server 2008 Server Manager

Get More from Active Directory—Easily Audit Changes, and Secure and Restore Objects

User Provisioning: Get the Most Bang for your IT Buck
Related Events Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

WinConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



When managing just VMware isn’t enough
Plan/Manage/Secure – NetIQ VMware management. Download whitepaper.

What’s up with your network? Find out with ipMonitor
Availability monitoring for servers, applications and networks – FREE trial

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your Fundamentals CD Today!
Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing