Delegated permissions are not available and inheritance is automatically disabled

Article ID: 817433 - View products that this article applies to.

System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you.Visit the Windows 7 Solution Center

Expand all | Collapse all

SYMPTOMS

After you upgrade to Microsoft Windows Server 2003, you may experience the following symptoms:

Delegated permissions are not available to all users in an organizational unit.
Inheritance is automatically disabled on some user accounts approximately one time an hour
Users who previously had delegated permissions, no longer have them.

This problem may also occur after you apply the hotfix described in Microsoft Knowledge Base article 327825 to Microsoft Windows 2000 Server or after you install Windows 2000 Service Pack 4 to Microsoft Windows 2000 Server. For more information about the Windows 2000 327825 hotfix, click the following article number to view the article in the Microsoft Knowledge Base:

327825

(http://support.microsoft.com/kb/327825/ )

New resolution for problems with Kerberos authentication when users belong to many groups

Back to the top | Give Feedback

CAUSE

When you delegate permissions using the Delegation of Control wizard, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container. Therefore, if you set permissions using the Delegation of Control wizard, these permissions are not applied to members of protected groups.

Note Membership in a protected group is defined as either direct membership or transitive membership using one or more security or distribution groups. Distribution groups are included because they can be converted to security groups.

In Windows Server 2003, the number of groups that are protected has been increased to enhance security in Active Directory (see the "More Information" section). The number of groups that are protected also increases if you apply the 327825 hotfix to Windows 2000.

Back to the top | Give Feedback

RESOLUTION

To resolve this problem, you can install a hotfix. You must install the hotfix on the domain controller that holds the primary domain controller (PDC) emulator operations master role in each domain. Additionally, you must install the hotfix on all domain controllers that you might use to take over this role if the current PDC emulator operations master role holder becomes unavailable. If you are not sure of the domain controller you would use to take over the role, we recommend that you consider installing the hotfix on all domain controllers. If a domain controller without the hotfix assumes the PDC emulator operations master role, the user's permissions will be reset again.

Windows 2000 hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

(http://support.microsoft.com/contactus/?ws=support)

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

   Date         Time   Version             Size  File name
   ----------------------------------------------------------
   24-Mar-2004  02:17  5.0.2195.6876    388,368  Advapi32.dll     
   24-Mar-2004  02:17  5.0.2195.6866     69,904  Browser.dll      
   24-Mar-2004  02:17  5.0.2195.6824    134,928  Dnsapi.dll       
   24-Mar-2004  02:17  5.0.2195.6876     92,432  Dnsrslvr.dll     
   24-Mar-2004  02:17  5.0.2195.6883     47,888  Eventlog.dll     
   24-Mar-2004  02:17  5.0.2195.6890    143,632  Kdcsvc.dll       
   11-Mar-2004  02:37  5.0.2195.6903    210,192  Kerberos.dll     
   21-Sep-2003  00:32  5.0.2195.6824     71,888  Ksecdd.sys
   11-Mar-2004  02:37  5.0.2195.6902    520,976  Lsasrv.dll       
   25-Feb-2004  23:59  5.0.2195.6902     33,552  Lsass.exe        
   19-Jun-2003  20:05  5.0.2195.6680    117,520  Msv1_0.dll       
   24-Mar-2004  02:17  5.0.2195.6897    312,592  Netapi32.dll     
   19-Jun-2003  20:05  5.0.2195.6695    371,984  Netlogon.dll     
   10-Aug-2004  00:17  5.0.2195.6966    933,648  Ntdsa.dll        
   24-Mar-2004  02:17  5.0.2195.6897    388,368  Samsrv.dll       
   24-Mar-2004  02:17  5.0.2195.6893    111,376  Scecli.dll       
   24-Mar-2004  02:17  5.0.2195.6903    253,200  Scesrv.dll       
   04-Jun-2004  23:13  5.0.2195.6935  5,887,488  Sp3res.dll       
   24-Mar-2004  02:17  5.0.2195.6824     50,960  W32time.dll      
   21-Sep-2003  00:32  5.0.2195.6824     57,104  W32tm.exe

Windows Server 2003 service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100

(http://support.microsoft.com/kb/889100/ )

How to obtain the latest service pack for Windows Server 2003

Windows Server 2003 hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

(http://support.microsoft.com/contactus/?ws=support)

Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

Windows Server 2003, 32-bit editions

   Date         Time   Version            Size  File name
   --------------------------------------------------------
   02-Nov-2004  01:26  5.2.3790.229  1,532,416  Ntdsa.dll
   02-Nov-2004  01:26  5.2.3790.212     32,768  Ntdsatq.dll
   19-Sep-2004  11:41  5.2.3790.212     59,392  Ws03res.dll

Windows Server 2003, 64-bit editions

   Date         Time   Version            Size  File name     Platform
   -------------------------------------------------------------------
   02-Nov-2004  01:21  5.2.3790.229  4,057,088  Ntdsa.dll     IA-64
   02-Nov-2004  01:21  5.2.3790.212     82,432  Ntdsatq.dll   IA-64
   19-Sep-2004  09:43  5.2.3790.212     58,880  Ws03res.dll   IA-64
   19-Sep-2004  11:41  5.2.3790.212     59,392  Wws03res.dll    x86

After you install the hotfix in Windows 2000 and in Windows Server 2003, you can set forest-wide dsHeuristic flags to control which operator groups are protected by adminSDHolder. By using this new option, you can set some or all the enlisted four protected groups back to the original Windows 2000 behavior. Character position 16 is interpreted as a hexadecimal value, where the left-most character is position 1. Therefore, the only valid values are "0" through "f". Each operator group has a specific bit as follows:

Bit 0 : Account Operators
Bit 1 : Server Operators
Bit 2 : Print Operators
Bit 3 : Backup Operators

For example, a value of 0001 means exclude Account Operators. A value of 'c' would exclude Print Operators (0100) and Backup Operators (1000) because the binary sum 1100 reflects a hexadecimal value of 0xC.

To enable the new functionality, you must modify an object in the configuration container. This setting is forest wide. To modify the object, follow these steps:

Locate the object that you want to modify. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
326690
(http://support.microsoft.com/kb/326690/ )
Anonymous LDAP operations to Active Directory are disabled on Windows Server 2003 domain controllers
At a command prompt, type ldp.exe and then press ENTER to start the LDP utility.
Click Connection, click connect and then click OK.
Click Connection, click Bind, type the user name and password of a forest root administrator, and then click OK.
Click View, click Tree, and then click OK.
Using View\Tree, open the following configuration CN:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Forest root domain
Locate the Directory Service object, and then double-click it.
Check the object attribute listing on the right side to determine whether the dsHeuristics attribute is already set. If it is set, copy the existing value to the clipboard.
Right-click the Directory Service objects on the left side, and then click Modify.
As the attribute name, type dsHeuristics.
As a value, type 000000000100000f. Replace the zeros in the first part of the value with what you may already have in dsHeuristics. Make sure that you have the correct count of digits up to the "f" or whatever bits you want to set.

Note To verify that the correct characters are being modified, every tenth character must be set to the number of characters up to that point divided by ten. For example, the tenth character must be 1, the twentieth character must be 2, the thirtieth character must be 3, and so on.
If the attribute already existed, click Replace in the Operation box. Otherwise, click Add.
Press ENTER on the right to the Operation group to add it to the LDAP transaction.
Click Run to apply the change to the object. After this change is replicated to the PDC emulators in the forest, the ones that are running this hotfix will not protect the users who are members of the operators group that you have set the bits for.

Back to the top | Give Feedback

WORKAROUND

To work around this problem, use one of the following methods.

Method 1: Make sure members are not members of a protected group

If you use permissions that are delegated at the organizational unit level, make sure that all users who require the delegated permissions are not members of one of the protected groups. For users who were previously members of a protected group, the inheritance flag is not automatically reset when the user is removed from a protected group. To do this, you can use the following script.

Note This script checks the inheritance flag for all users whose AdminCount is set to 1. If inheritance is disabled (SE_DACL_PROTECTED is set), the script will enable inheritance. If inheritance is already enabled, inheritance will remain enabled. Additionally, AdminCount will be reset to 0. When the adminSDHolder thread runs again, it will disable inheritance and set AdminCount to 1 for all users who remain in protected groups. Therefore, AdminCount and inheritance are set correctly for all users who are no longer members of protected groups.

Use the following command to run the script:

cscript /nologo resetaccountsadminsdholder.vbs

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

'********************************************************************
'*
'* File:           ResetAccountsadminSDHolder.vbs 
'* Created:        November 2003
'* Version:        1.0
'*
'*  Main Function:  Resets all accounts that have adminCount = 1 back
'*	to 0 and enables the inheritance flag
'*
'*  ResetAccountsadminSDHolder.vbs 
'*
'* Copyright (C) 2003 Microsoft Corporation
'*
'********************************************************************

Const SE_DACL_PROTECTED = 4096

On Error Resume Next

Dim sDomain
Dim sADsPath
Dim sPDC


Dim oCon 
Dim oCmd
Dim oRst
Set oRst = CreateObject("ADODB.Recordset")
Set oCmd = CreateObject("ADODB.Command")
Set oCon = CreateObject("ADODB.Connection")

Dim oRoot
Dim oDomain
Dim oADInfo
Dim oInfo
Set oADInfo = CreateObject("ADSystemInfo")
Set oInfo = CreateObject("WinNTSystemInfo")
sPDC = oInfo.PDC & "." & oADInfo.DomainDNSName

oCon.Provider = "ADSDSOObject"
oCon.Open "Active Directory Provider"

oCmd.ActiveConnection = oCon

Set oRoot = GetObject("LDAP://rootDSE")
sDomain = oRoot.Get("defaultNamingContext")
Set oDomain = GetObject("LDAP://" & sDomain)
sADsPath = "<" & oDomain.ADsPath & ">"

oCmd.CommandText = "SELECT ADsPath FROM 'LDAP://" & sPDC & "/" & sDomain & "' WHERE objectCategory='person' and objectClass = 'user' AND adminCount = 1"
Set oRst = oCmd.Execute

WScript.Echo "searching for objects with 'admin count = 1' in " & sDomain

If oRst.RecordCount = 0 Then
    WScript.Echo "no accounts found"
    WScript.Quit
End If

Do While Not oRst.EOF
    WScript.Echo  "found object " & oRst.Fields("ADsPath")
    If SetInheritanceFlag(oRst.Fields("ADsPath")) = 0 Then WScript.Echo "Inheritance flag set"
    If SetAdminCount(oRst.Fields("ADsPath"), 0) = 0 Then WScript.Echo "adminCount set to 0"
    WScript.Echo  "=========================================="
    oRst.MoveNext
Loop


Private Function SetInheritanceFlag(DSObjectPath)

    Dim oSD
    Dim oDACL
    Dim lFlag
    Dim oIADs

    Set oIADs = GetObject(DSObjectPath)

    Set oSD = oIADs.Get("nTSecurityDescriptor")

    If oSD.Control And SE_DACL_PROTECTED Then
        oSD.Control = oSD.Control - SE_DACL_PROTECTED
    End If

    oIADs.Put "nTSecurityDescriptor", oSD
    oIADs.SetInfo
    
    If Err.Number <> 0 Then
        SetInheritanceFlag = Err.Number
    Else
        SetInheritanceFlag = 0
    End If

End Function


Private Function SetAdminCount(DSObjectPath, AdminCount)

    Dim oIADs
    Dim iAdminCount

    Set oIADs = GetObject(DSObjectPath)

    iAdminCount = oIADs.Get("adminCount")

    If iAdminCount = 1 Then iAdminCount = 0

    oIADs.Put "adminCount", iAdminCount
    oIADs.SetInfo
    If Err.Number <> 0 Then
        SetAdminCount = Err.Number
    Else
        SetAdminCount = 0
    End If
    
End Function

To make sure that you do not adversely affect users, we recommend that you first dump the users who have AdminCount set to 1 by using Ldifde.exe. To do this, type the following command at a command prompt, and then press ENTER:

ldifde -f Admincount-1.txt -d dc=your domain -r "(&(objectcategory=person)(objectclass=user)(admincount=1))"

Review the output file to confirm that all users who will have the DACL protected bit cleared will have the correct permissions with inherited access controlled entries (ACEs) only. This method is preferred and does not weaken existing security.

Back to the top | Give Feedback

Method 2: Enable inheritance on the adminSDHolder container

If you enable inheritance on the adminSDHolder container, all members of the protected groups have inherited permissions enabled. In terms of security functionality, this method reverts the behavior of the adminSDHolder container back to the pre-Service Pack 4 functionality.

Enabling inheritance on the adminSDHolder container

If you enable inheritance on the adminSDHolder container, one of the two protective access control list (ACL) mechanisms is disabled. The default permissions are applied. However, all members of protected groups inherit permissions from the organizational unit and any parent organizational units if inheritance is enabled at the organizational unit level.

To provide inheritance protection for administrative users, move all administrative users (and other users who require inheritance protection) to their own organizational unit. At the organizational unit level, remove inheritance and then set the permissions to match the current ACLs on the adminSDHolder container. Because the permissions on the adminSDHolder container may vary (for example, Microsoft Exchange Server adds some permissions or the permissions may have been modified), review a member of a protected group for the current permissions on the adminSDHolder container. Be aware that the user interface (UI) does not display all permissions on the adminSDHolder container. Use DSacls to view all permissions on the adminSDHolder container.

You can enable inheritance on the adminSDHolder container by using ADSI Edit or Active Directory Users and Computers. The path of the adminSDHolder container is CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note If you use Active Directory Users and Computers, make sure that Advanced Features is selected on the View menu.

To enable inheritance on the adminSDHolder container:

Right-click the container, and then click Properties.
Click the Security tab.
Click Advanced.
Click to select the Allow Inheritable permissions to propagate to this object and all child objects check box .
Click OK, and then click Close.

The next time that the SDProp thread runs, the inheritance flag is set on all members of protected groups. This procedure may take up to 60 minutes. Allow sufficient time for this change to replicate from the primary domain controller (PDC).

Method 3: Avoid inheritance and only change ACLs

If you do not want users who are members of Protected Groups to inherit permissions from the container that the users reside in, and you only want to change the security on the user objects, you can edit the security on the adminSDHolder container directory. In this scenario, you do not have to enable Inheritance on the adminSDHolder container. You only have to add that group or edit the security of the security groups that are already defined on the adminSDHolder container. After one hour, the SDProp thread will apply the change made to the ACLs of the adminSDHolder container to all the members of protected groups. The members will not inherit the security of the container they reside in.

For example, the Self account requires the Allow to Read All Properties right. Edit the adminSDHolder container security settings to allow this right on the Self account. After one hour, this right will be allowed to the Self account for all users who are members of protected groups. The Inheritance flag is not changed.

The following example demonstrates how to apply changes onto the adminSDHolder object only. This example grants the following permissions on the adminSDHolder object:

List Contents
Read All Properties
Write All Properties

To grant these permissions on the adminSDHolder object, follow these steps:

In Active Directory Users and Computers, click Advanced Features on the View menu.
Locate the adminSDHolder object. The object is in the following location for each domain in the Active Directory forest: CN=adminSDHolder,CN=System,DC=domain,DC=com Here, DC=domain,DC=com is the distinguished name of the domain.
Right-click adminSDHolder, and then click Properties.
In the Properties dialog box, click the Security tab and then click Advanced.
In the Access Control Settings for adminSDHolder dialog box, click Add on the Permissions tab.
In the Select User, Computer, or Group dialog box, click the account to which you want to grant related permissions, and then click OK.
In the Permissions Entry for adminSDHolder dialog box, click This object only in the Apply onto box, and then click List Contents, Read All Properties, and Write All Properties rights.
Click OK to close the Permissions Entry for adminSDHolder dialog box, the Access Control Settings for adminSDHolder dialog box, and the adminSDHolder Properties dialog box.

Within one hour, the ACL will be updated on the user objects associated with the protected groups to reflect the changes. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

232199

(http://support.microsoft.com/kb/232199/ )

Description and update of the Active Directory adminSDHolder object

318180

(http://support.microsoft.com/kb/318180/ )

AdminSDHolder thread affects transitive members of distribution groups

Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 1.

Back to the top | Give Feedback

MORE INFORMATION

Active Directory uses a protection mechanism to make sure that ACLs are set correctly for members of sensitive groups. The mechanism runs one time an hour on the PDC operations master. The operations master compares the ACL on the user accounts that are members of protected groups against the ACL on the following object:

CN=adminSDHolder,CN=System,DC=<MyDomain>,DC=<Com>

Note "DC=<MyDomain>,DC=<Com>" represents the distinguished name (DN) of your domain.

If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the adminSDHolder object (and ACL inheritance is disabled). This process protects these accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit where a malicious user has been delegated administrative credentials to modify user accounts. Be aware that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

Note To control the frequency at which the adminSDHolder object updates security descriptors, create or modify the AdminSDProtectFrequency entry in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

When the AdminSDProtectFrequency registry entry is not present, the adminSDHolder object updates security descriptors every 60 minutes (3600 seconds). You can use this registry entry to set this frequency to any rate between 1 minute (60 seconds) and 2 hours (7200 seconds) by entering the value in seconds. However, we do not recommend that you modify this value except for brief testing periods. Modifying this value can increase LSASS processing overhead.

The following list describes the protected groups in Windows 2000:

Enterprise Admins
Schema Admins
Domain Admins
Administrators

The following list describes the protected groups in Windows Server 2003 and in Windows 2000 after you apply the 327825 hotfix or you install Windows 2000 Service Pack 4:

Administrators
Account Operators
Server Operators
Print Operators
Backup Operators
Domain Admins
Schema Admins
Enterprise Admins
Cert Publishers

Additionally the following users are also considered protected:

Administrator
Krbtgt

Be aware that membership in distribution groups does not populate a user token. Therefore, you cannot use tools such as "whoami" to successfully determine group membership.

For more information about delegated administration, download the Best Practices for Delegating Active Directory Administration white paper. To do this, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en

(http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en)

Back to the top | Give Feedback