Monday, May 23, 2011

AdminSDHolder

Description and Update of the Active Directory AdminSDHolder Object - http://support.microsoft.com/default.aspx?scid=kb;en-us;232199

AdminSDHolder is specifically designed to protect members of built-in administrative groups. These accounts are deemed security-sensitive, and so the AdminSDHolder runs once per hour to make sure the ACLs for those accounts are set to system defaults. This can cause problems because of the method that the AdminSDHolder uses to determine which accounts are protected – it works on the basis of group memberships, including nested groups.

As an example, if you have a group called CorpHelpDesk, and CorpHelpDesk is a member of CorpAccountOps, which is in turn a member of the Account Operators built in group, then AdminSDHolder will apply changes to all the members of CorpHelpDesk based on the nested group membership.

Delegated permissions are not available and inheritance is automatically disabled - http://support.microsoft.com/default.aspx?scid=kb;en-us;817433

How to workaround issues with AdminSDHolder, as well as hotfixes for 2000 and 2003 to resolve permission delegation issues.

AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts - http://support.microsoft.com/default.aspx?scid=kb;en-us;306398

How to work around an issue within Windows 2000 where removal of a user from a protected group does not reset the 'allow inheritable permissions' attribute from the object, leading to help desk users not being able to manage those accounts.

Best Practices for Delegating Active Directory Administration - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/actdid3.mspx

An excellent article on Delegation and how to best leverage the technology for common administrative tasks. The article goes into how the technology actually works, recommendations on using it effectively, and common pitfalls that can be avoided.

How Security Principals Work - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6375943b-1089-4ec5-9b2d-823b884ec1ec.mspx

Finally, an architectural guide to Security Principals in Windows 2000/2003. Covers the well-known SID's, the purpose of the individual built-in accounts, group types, the built-in groups, and much more.

No comments:

Post a Comment