Did I miss a portion of this conversation? What on earth does this have to do with the original question about userAccountControl flags being manipulated?
AdminSDHolder has nothing to do with the original issue stated. I would also respectfully submit that this behavior is indeed by design, but to protect admins from themselves, not because they provided feedback to MS. Most people had no clue what it was or why it was designed that way 10 or 12 years ago but it saved people from shooting themselves in the foot by not allowing lesser privileged built-in groups to manage their most highly prized assets and closed a potential glaring loophole in the default ACLs. From: pdw1...@hotmail.com [mailto:pdw1...@hotmail.com] Sent: Friday, July 20, 2012 8:42 AM To: NT System Admin Issues Subject: RE: chagne AD p/w option @Chris-No question. I just was letting the group know what I had found since they had mentioned it was either gpo or script. Its almost all the accounts. Reading through the article it did state that it also applied to any user that was part of a security or distribution group. Thanks for the link, Daviid. ________________________________ From: david....@nwea.org<mailto:david....@nwea.org> To: ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com> Subject: RE: chagne AD p/w option Date: Fri, 20 Jul 2012 15:33:05 +0000 Our own Michael B Smith has an article as well: http://theessentialexchange.com/blogs/michael/archive/2008/10/22/admincount-adminsdholder-sdprop-and-you.aspx I thought you had this for every account? My bad for not asking that clarifying question...Unless they were all members at one time of one of the AdminSDHolder groups at one time it shouldn't be affecting everyone. But yes if it's just specifc accounts, you need to fire up ADSIEdit and set the adminCount attribute to "0". This need to be done to any account that was say, Domain Admins that you later removed from Domain Admins (or any other AdminSDHolder group). For me it's SOP if I remove someone from Domain Admins that I fire up ADSIEdit and set the adminCount to zero. This behavior is by design, because that's the feedback Microsoft got from us admins... Dave From: hotmail_2d1f874cdc16f...@live.com<mailto:hotmail_2d1f874cdc16f...@live.com> [mailto:hotmail_2d1f874cdc16f...@live.com]<mailto:[mailto:hotmail_2d1f874cdc16f...@live.com]> On Behalf Of pa...@mmcwm.com<mailto:pa...@mmcwm.com> Sent: Friday, July 20, 2012 8:10 AM To: NT System Admin Issues Subject: chagne AD p/w option I posted a question regarding that to the MS forums and it looks like they've seen it before. They posted this link: http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx Some days I long for the simplicity of NT 3.51 and MS Mail. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin