This article was previously published under Q251343
Microsoft Windows NT 4.0 and earlier protects the users in administrative groups by changing the Access Control List (ACL) on the members as they are added to the groups. Windows 2000 uses a different method to accommodate support for nested groups and universal groups. Windows 2000 supports universal groups, which can have members in other domains and could themselves be members of groups in other domains.
Windows 2000 uses the SD propagator (SDPROP) background process to implement the protection of administrative groups. This process first computes the set of memberships in transitive fashion for all administrative groups. It then walks the list of objects that it has and checks whether the security descriptor on the objects is a well-known protected security descriptor. If the well-known protected security descriptor is not set, it sets this security descriptor on the object. This task runs only on the primary domain controller Flexible Single Master Operation (FSMO) role holder.
The SD propagator runs in the background and updates the inherited permissions of containers and objects in Active Directory as they are moved from one organizational unit to another. In rare circumstances, it may be necessary to force a run of the SD propagator manually by using the Lightweight Directory Protocol tool (LDAP):
To use the Ldp.exe tool, verify that the Windows 2000 Support Tools are installed by clicking Start, pointing to Programs, pointing to Administrative Tools and then locating Windows 2000 Support Tools. If this command exits, skip to step 3. If it does not exist, continue with step 2 to install the Windows 2000 Support Tools.
To install the Windows 2000 Support Tools, insert your Windows 2000 installation CD-ROM, and then double-click Setup.exe in the Support\Tools folder on the CD-ROM.
To run Ldp.exe, click Start, click Run, type ldp, and then click OK.
Click Connection, click Connect, and then type the server name you want to connect to. This connects over port 389 for Active Directory. Click Connection, click Bind, and then type the appropriate administrative user name, password, and domain. Click OK. Note that you should type domain administrator or enterprise administrator credentials.
On the Browse menu, click Modify. In the Modify dialog box, leave the DN box blank. In the Attribute box, type FixUpInheritance. Set the Value box to Yes.
In the Operation box, click Add. Click Enter to populate the Entry List dialog box, which should read "[Add]fixupinheritance:yes".
Click Run. The right pane indicates "Modified." This starts the SD propagator. The run time for the SD propagator is linear with the size of the Active Directory database. The process is complete when the "DS Security Propagation Events" counter in the NTDS Performance object returns to 0.