AdminSDHolder Thread Affects Transitive Members of Distribution Groups
Content provided by Microsoft
An Active Directory domain controller that holds the primary domain controller (PDC) operations master role (also known as the flexible single master operations role or the FSMO role) runs a thread every hour to check the access control lists (ACLs) on the following groups and all of the member objects of these groups:
Replicator Server Operators
If a user account is a member of one of these administrative groups because of its membership with a distribution group, the user account's ACL is checked when the thread is run and may be reset to match the ACL of the AdminSDHolder thread. If you use the repadmin /showmeta user distinguished name command to view the user account, you see that the ntSecurityDescriptor attribute is set within one hour after the last time you changed the ACL on the user account. The user account also contains the AdminCount attribute.
This article describes how the AdminSDHolder thread affects transitive members of distribution groups. For additional information about the AdminSDHolder thread, click the following article number to view the article in the Microsoft Knowledge Base:
232199 Description and update of Active Directory AdminSDHolder object
Membership of a distribution group does not normally have any security significance. For example, if UserA is a member of Distribution GroupA and Distribution GroupA is a member of the Domain Admins group, UserA is not a member of the Domain Admins group if the user is logged on to the computer. The distribution group blocks security group membership. However, the enumeration algorithm that is used by the AdminSDHolder thread is fast and simple and it includes UserA during the transitive iteration of the Domain Admins group.
You can change groups from being a distribution group to a security group; therefore, the enumeration algorithm that is used by the AdminSDHolder thread ensures that all transitive members are covered in both cases. Do not make distribution groups members of security groups, if possible. You do not experience unexpected behavior after you change the group from a distribution group to a security group if you do not make distribution groups members of security groups. A user that is covered by the enumeration algorithm that is used by the AdminSDHolder thread has an AdminCount attribute that has a value that is greater than or equal to 1.