adminCount, adminSDHolder, SDProp and you!

Quick Synopsis

Ever had the permissions on a user object keep changing and you don't know why? Well, this article tells you why and how to fix it.

If you just want to know how to fix it, page down to the Resolution section, and skip the Technical Explanation.

Technical Explanation

One of the many protection mechanisms built into Active Directory is known by several names: adminCount, adminSDHolder, or SDProp. The first two, adminCount and adminSDHolder, are directly tied to Active Directory. adminCount is an attribute that is set on each object affected by this protection mechanism. adminSDHolder is the reference object that all other critical objects are compared to.

The adminSDHolder object, which stands for Administrative Security Descriptor Holder, exists in each domain. That is, in a multi-domain forest, there is an adminSDHolder object in each of the domains in the forest. The object is located at CN=adminSDHolder, CN=System, DC=example, DC=com. There are a number of access control entries (ACEs) on the adminSDHolder object. Those ACEs are the proper ACEs for any object that can be defined as a critical object.

A critical object is a security principal which is either a very specific principal, or a member of a critical group. Security principals are currently limited to users, groups, computers, or inetorgpersons.

Security Description Propagator (SDProp) is the task that runs within LSASS.EXE which actually enforces the protection mechanism. SDProp performs other tasks as well (including replicating security descriptors from one domain controller to another), but in this case we are interested only in its adminSDHolder functions.

The purpose behind the SDProp mechanism is to stop inappropriate changes from being made to critical objects.

For example, assume the user SubAdmin is delegated full-control privileges over an OU named SubOU. If, under whatever circumstance, the Administrator user for the domain were to be moved under that OU, and then if normal inheritance rules applied to the Administrator user, the SubAdmin user could make whatever changes they wished to that user - including changing the Administrator password. However, the SDProp process prevents that.

Permission inheritance is disabled for all critical objects, and they only have the ACEs applied to them that are present on the adminSDHolder object.

When a critical object is processed by SDProp, it not only checks and resets the ACEs on the object, it also sets another attribute: adminCount. If SDProp has ever processed a security principal, that object will have adminCount set equal to 1 AND inheritance will be disabled.

This can cause problems in a number of environments. This is primarily because critical objects in an OU will not receive delegated permissions for that OU. A number of applications depend on that functionality (such as Cisco Unity and Blackberry Enterprise Server).

The critical objects which are users are:

  • Administrator
  • krbtgt

The critical objects which are groups are:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Cert Publishers

Only the first four were critical objects in Windows 2000. The last five were added with Windows 2003 (and Windows 2000 service pack 4). This explains why the issue was not seen for most companies with Windows 2000 and it only began appearing with the deployment of Windows 2003.

Resolution

The proper workaround is for high-privilege principals (i.e., critical objects) not be used for day-to-day activities. That is, you should not log into your workstations with your account which is a member of any critical group. The Administrator user shouldn't have a Blackberry or a voice-mail account. Etc.

In order to reverse the effect of SDProp on a security principal, you must do three things:

  1. Remove the security principal from the critical group.
  2. Set adminCount equal to zero using ADSIEdit or LDP.
  3. Re-enable inheritance on the object (this can be done from within ADUC, with View -> Advanced, on the security tab or from within ADSIEdit or LDP).

Note that once adminCount is set equal to one, removing the security principal from the critical group will not cause SDProp to reverse its changes. As long as adminCount is equal to one, SDProp will continue to reset permissions on an object. Therefore, the order of the steps listed above is important. Depending on timing, you may be successful at following an alternate order, but you may not always be so lucky.

Until next time...

As always, if there are items you would like me to talk about, please drop me a line and let me know!

Published Wednesday, October 22, 2008 1:56 PM by michael
Filed under:

Comments

Thursday, May 07, 2009 11:18 AM by Ask the Directory Services Team

# Five common questions about AdminSdHolder and SDProp

Ned here again. After a few years of supporting Active Directory, nearly everyone runs into an issue

# Use PowerShell to look up AdminCount from AdminSDHolder and SDPROP - Shariq Sheikh | Port 389

Pingback from  Use PowerShell to look up AdminCount from AdminSDHolder and SDPROP - Shariq Sheikh | Port 389