Article ID: 232199 - Last Review: February 23, 2007 - Revision: 3.3

Description and Update of the Active Directory AdminSDHolder Object

View products that this article applies to.
This article was previously published under Q232199
Expand all | Collapse all

SUMMARY

The information in this article applies only to upgrading from Windows 2000 RC2 (or earlier builds) to the released version of Windows 2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of the AdminSDHolder Active Directory object. This object is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups.

Every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

NOTE: Using the following procedure is not required if you are upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.

MORE INFORMATION

To correct this situation, use this procedure on one domain controller per domain:
  1. Install the Windows 2000 Support tools from the Windows 2000 Professional or Server CD-ROM. These tools include a utility named Dsacls.exe, which you can use to view, modify, or remove access control entries on objects in Active Directory.
  2. Create a batch file with the following text, replacing "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain):
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Everyone:CA;Change Password"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Remote Access Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;General Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Group Membership"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Logon Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Account Restrictions"
  3. Run the batch file on the domain controller. It adds the specified Access Control entries (ACEs) for the Everyone and Pre-Windows 2000 Compatible Access groups.
  4. At a command prompt, type dsacls cn=adminsdholder,cn=system,dc=mydomain,dc=com, replacing "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain). Compare it to the following output:
    Access list:
{This object is protected from inheriting permissions from the parent}
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Administrators                      SPECIAL ACCESS
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow IFRPILOT\Enterprise Admins                  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow FAA\Domain Admins                           SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  DELETE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions
                                                  READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information
                                                  READ PROPERTY
Allow Everyone                                    Change Password
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Back to the top
Keywords: 
kbenv kbinfo KB232199
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers