Article ID: 251343 - View products that this article applies to.
This article was previously published under Q251343
Microsoft Windows NT 4.0 and earlier protects the users in administrative groups by changing the Access Control List (ACL) on the members as they are added to the groups. Windows 2000 uses a different method to accommodate support for nested groups and universal groups. Windows 2000 supports universal groups, which can have members in other domains and could themselves be members of groups in other domains.
Windows 2000 uses the SD propagator (SDPROP) background process to implement the protection of administrative groups. This process first computes the set of memberships in transitive fashion for all administrative groups. It then walks the list of objects that it has and checks whether the security descriptor on the objects is a well-known protected security descriptor. If the well-known protected security descriptor is not set, it sets this security descriptor on the object. This task runs only on the primary domain controller Flexible Single Master Operation (FSMO) role holder.
The SD propagator runs in the background and updates the inherited permissions of containers and objects in Active Directory as they are moved from one organizational unit to another. In rare circumstances, it may be necessary to force a run of the SD propagator manually by using the Lightweight Directory Protocol tool (LDAP):
Article ID: 251343 - Last Review: March 1, 2007 - Revision: 2.4