Description and Update of the Active Directory AdminSDHolder Object

Summary

The information in this article applies only to upgrading from Windows 2000 RC2 (or earlier builds) to the released version of Windows 2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of the AdminSDHolder Active Directory object. This object is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups.

Every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

NOTE: Using the following procedure is not required if you are upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.

More Information

To correct this situation, use this procedure on one domain controller per domain:
  1. Install the Windows 2000 Support tools from the Windows 2000 Professional or Server CD-ROM. These tools include a utility named Dsacls.exe, which you can use to view, modify, or remove access control entries on objects in Active Directory.
  2. Create a batch file with the following text, replacing "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain):
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Everyone:CA;Change Password"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Remote Access Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;General Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Group Membership"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Logon Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Account Restrictions"
  3. Run the batch file on the domain controller. It adds the specified Access Control entries (ACEs) for the Everyone and Pre-Windows 2000 Compatible Access groups.
  4. At a command prompt, type dsacls cn=adminsdholder,cn=system,dc=mydomain,dc=com, replacing "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain). Compare it to the following output:

    Access list:
    {This object is protected from inheriting permissions from the parent}
    Effective Permissions on this object are:
    Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
    READ PERMISSONS
    LIST CONTENTS
    READ PROPERTY
    LIST OBJECT
    Allow BUILTIN\Administrators SPECIAL ACCESS
    DELETE
    READ PERMISSONS
    WRITE PERMISSIONS
    CHANGE OWNERSHIP
    CREATE CHILD
    DELETE CHILD
    LIST CONTENTS
    WRITE SELF
    WRITE PROPERTY
    READ PROPERTY
    LIST OBJECT
    CONTROL ACCESS
    Allow IFRPILOT\Enterprise Admins SPECIAL ACCESS
    READ PERMISSONS
    WRITE PERMISSIONS
    CHANGE OWNERSHIP
    CREATE CHILD
    DELETE CHILD
    LIST CONTENTS
    WRITE SELF
    WRITE PROPERTY
    READ PROPERTY
    LIST OBJECT
    CONTROL ACCESS
    Allow FAA\Domain Admins SPECIAL ACCESS
    READ PERMISSONS
    WRITE PERMISSIONS
    CHANGE OWNERSHIP
    CREATE CHILD
    DELETE CHILD
    LIST CONTENTS
    WRITE SELF
    WRITE PROPERTY
    READ PROPERTY
    LIST OBJECT
    CONTROL ACCESS
    Allow NT AUTHORITY\SYSTEM FULL CONTROL
    Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
    READ PERMISSONS
    LIST CONTENTS
    READ PROPERTY
    LIST OBJECT
    Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information
    READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information
    READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership
    READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions
    READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information
    READ PROPERTY
    Allow Everyone Change Password
Eigenschaften

Artikelnummer: 232199 – Letzte Überarbeitung: 23.02.2007 – Revision: 1

Feedback