RE: [ActiveDir] AdminSDHolder orphans
Hi Tony, late response as well - sorry. I guess why this isn't cleaned up is the same thing as in many other issues. If you have an admin which is in certain operators groups, and he's loosing those groups, it's likely that he has been delegated in some other ways. So not reversing the settings the account is still protected from malicious delegated admins and someone with higher privileges has to look at this account and take care of it (e.g. looking if it's still in the right OU). On the other hand - and as the others mentioned - this task of cleaning up should not run as often. And you'll either need to store the previous permissions (we don't have an attribute for this right now), or reset to some default permissions (we don't have a container to store them right now), or force the reset of the inheritance and propagate parent permissions down. Also how would we decide to reset the inheritance flag automatically - there might be accounts in the OU which have on purpose the inheritance flag turned off - so is a prior admin supposed to have inheritance turned on or off in those OUs? I don't think the task of resetting the inheritance flag would be complicated, but it's complicated to generalize that it should be reset in any case. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Dienstag, 19. Dezember 2006 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: Replace the objects security descriptor with that of the AdminSDHolder; Disable permissions inheritance on the object; Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AdminSDHolder orphans
Hi Ulf Thanks for the thoughts. I can see there could be issues with trying to revert settings after an object is removed from one of the protected groups. I'm now leaning towards the idea of reporting, rather than taking wholesale action. It would be good to have a canned report that shows all of the objects currently protected by the AdminSDHolder, compared with all those that have an adminCount value of 1 (or higher). An administrator could then make the decision to enable permissions inheritance on a case-by-case basis for objects listed in the second category but not the first. Sounds like a feature Joe should add to one of his many freeware tools. The behaviour would be similar to OldCMP. ;-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, 22 January 2007 11:32 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Hi Tony, late response as well - sorry. I guess why this isn't cleaned up is the same thing as in many other issues. If you have an admin which is in certain operators groups, and he's loosing those groups, it's likely that he has been delegated in some other ways. So not reversing the settings the account is still protected from malicious delegated admins and someone with higher privileges has to look at this account and take care of it (e.g. looking if it's still in the right OU). On the other hand - and as the others mentioned - this task of cleaning up should not run as often. And you'll either need to store the previous permissions (we don't have an attribute for this right now), or reset to some default permissions (we don't have a container to store them right now), or force the reset of the inheritance and propagate parent permissions down. Also how would we decide to reset the inheritance flag automatically - there might be accounts in the OU which have on purpose the inheritance flag turned off - so is a prior admin supposed to have inheritance turned on or off in those OUs? I don't think the task of resetting the inheritance flag would be complicated, but it's complicated to generalize that it should be reset in any case. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Dienstag, 19. Dezember 2006 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: Replace the objects security descriptor with that of the AdminSDHolder; Disable permissions inheritance on the object; Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AdminSDHolder orphans
I think you make a great point here. Actually I'd prefer something like this in the Eventlog: Event xxx: AdminSDHolder has detected that the following account does not contain to any administrative groups anymore. Administrative Action is required to set security on this object as intended. Please set the attribute admincount to 0 after justifying the security-settings on this account. You know - the same thing as we get when we didn't backup for a while, when clients log on whos IP doesn't belong to any AD-Subnets, ... one of those maintenance events ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Montag, 22. Januar 2007 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Hi Ulf Thanks for the thoughts. I can see there could be issues with trying to revert settings after an object is removed from one of the protected groups. I'm now leaning towards the idea of reporting, rather than taking wholesale action. It would be good to have a canned report that shows all of the objects currently protected by the AdminSDHolder, compared with all those that have an adminCount value of 1 (or higher). An administrator could then make the decision to enable permissions inheritance on a case-by-case basis for objects listed in the second category but not the first. Sounds like a feature Joe should add to one of his many freeware tools. The behaviour would be similar to OldCMP. ;-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, 22 January 2007 11:32 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Hi Tony, late response as well - sorry. I guess why this isn't cleaned up is the same thing as in many other issues. If you have an admin which is in certain operators groups, and he's loosing those groups, it's likely that he has been delegated in some other ways. So not reversing the settings the account is still protected from malicious delegated admins and someone with higher privileges has to look at this account and take care of it (e.g. looking if it's still in the right OU). On the other hand - and as the others mentioned - this task of cleaning up should not run as often. And you'll either need to store the previous permissions (we don't have an attribute for this right now), or reset to some default permissions (we don't have a container to store them right now), or force the reset of the inheritance and propagate parent permissions down. Also how would we decide to reset the inheritance flag automatically - there might be accounts in the OU which have on purpose the inheritance flag turned off - so is a prior admin supposed to have inheritance turned on or off in those OUs? I don't think the task of resetting the inheritance flag would be complicated, but it's complicated to generalize that it should be reset in any case. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308- B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Dienstag, 19. Dezember 2006 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: Replace the objects security descriptor with that of the AdminSDHolder; Disable permissions inheritance on the object; Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I
[ActiveDir] adminsdholder
Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adminsdholder
setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] adminsdholder
You'll also need to re-enable inheritance on the affected account. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Tuesday, January 16, 2007 6:37 AM To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adminsdholder
Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] adminsdholder
either explicit or inherited permissions will be replaced by the permissions defined on the adminsdholder object so if re-applying inheritance is not enough... you would need to define explicit defined permissions... for the default perms you can use the DEFAULT button and all custom added permissions would need to be defined again Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 17:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminsdholder Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx winmail.dat
RE: [ActiveDir] adminsdholder
Jorge, thanks for the mail back i am duly noted on the re-enabling of the inheritance if i may develop this thread a little further .. is there any specific logging of the activity of the adminsdholder process or do we have to fall back to the directory auditing ?? presumably as i understand, there would be a number of elements to this; i. enumeration of objects that are members of protected groups (is this constrained to user objects ??) ii. change of admincount attribute iii. change of inheritance iv. reset of permissions on objects G either explicit or inherited permissions will be replaced by the permissions defined on the adminsdholder object so if re-applying inheritance is not enough... you would need to define explicit defined permissions... for the default perms you can use the DEFAULT button and all custom added permissions would need to be defined again Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 17:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adminsdholder Jorge, thanks for your reply post i certainly favour the former option on account of the other being a forest-wide configuration. on this basis if we have removed the user from protected groups then doesn't setting do the job ? the permission we are 'losing' is not one that is set at parent OU level and set explicitly on the object so inheritance of the permission is not OR is there something else that needs to be re-enabled by changing the inhertiance on the user object ?? GT 1. removed user from all protected groups setting the attribute to 0 only will not help to stop the adminsdholder from managing a certain group/user you either: * remove it from a protected group, check inheritance and reset admincount to not set * configure dsheuristics (forest-wide config) as mentioned in http://support.microsoft.com/?id=817433 for some default protected groups (not recommended as you should not use the default admin groups, but instead delegate stuff) also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Graham Turner Sent: Tue 2007-01-16 15:37 To: activedir@mail.activedir.org Subject: [ActiveDir] adminsdholder Dear all, i think we experieincing issues re not being able to reset permissions on an object that was previously member of protected groups i have read that the issue is around the reset of the value of 'admincount' attribute. as i learn this gets set to 1 when it is becomes a member of protected groups, but ju i wanted to confirm that is a 'supported' operation to merely reset this data to 0 to undo the effect of adminssdholder ?? or whether there are other changes that need to be considered. ? G List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AdminSDHolder orphans
Sorry, Tony. I've been away from emails for most of the week. Did you get a useful response to your question? If not, does my 2-part AdminSDHolder blog (http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx and http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx) help? No? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tony Murray Sent: Mon 12/18/2006 5:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: . Replace the object's security descriptor with that of the AdminSDHolder; . Disable permissions inheritance on the object; . Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AdminSDHolder orphans
OK, I'm embarrassed :-s That was just so lame. I thought the email from Tony was a PM. Oh, well... back to hiding from emails :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Akomolafe, Deji Sent: Thu 12/21/2006 6:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Sorry, Tony. I've been away from emails for most of the week. Did you get a useful response to your question? If not, does my 2-part AdminSDHolder blog (http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx and http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx) help? No? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tony Murray Sent: Mon 12/18/2006 5:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: . Replace the object's security descriptor with that of the AdminSDHolder; . Disable permissions inheritance on the object; . Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] AdminSDHolder orphans
The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] AdminSDHolder orphans
Paul, On a side note, this part of your response caught my eye... ...and then retriggered SDPROP. Is there a way to manually trigger SDPROP? There have been times when I have wanted to do this but didn't know how or if it was possible. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 19, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AdminSDHolder orphans The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony
RE: [ActiveDir] AdminSDHolder orphans
See this KB Manually initializing the SD propagator thread to evaluate inherited permissions for objects in Active Directory http://support.microsoft.com/kb/251343 steve -- Original message -- From: WATSON, BEN [EMAIL PROTECTED] Paul, On a side note, this part of your response caught my eye... ...and then retriggered SDPROP. Is there a way to manually trigger SDPROP? There have been times when I have wanted to do this but didn't know how or if it was possible. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 19, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AdminSDHolder orphans The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond To: Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across
RE: [ActiveDir] AdminSDHolder orphans
Either: http://support.microsoft.com/kb/251343 Or create an LDIF file which performs the same actions. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: 19 December 2006 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Paul, On a side note, this part of your response caught my eye... ...and then retriggered SDPROP. Is there a way to manually trigger SDPROP? There have been times when I have wanted to do this but didn't know how or if it was possible. Thanks, ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, December 19, 2006 1:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AdminSDHolder orphans The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync
[ActiveDir] AdminSDHolder orphans
Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: Replace the objects security descriptor with that of the AdminSDHolder; Disable permissions inheritance on the object; Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AdminSDHolder orphans
Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AdminSDHolder orphans
? My first thought would be YES, it should reverse the changes it made previously...on the other side...why doesn't it already? there is a script...2003 is the second AD version... so I suspect something else might be the reason why it does not do it adminSDHolder sets the list you mention below when it finds a user or group that is a member of some protected group. That is easy to do because it only checks the known protected users, know protected groups and its members. Not that difficult to query. Now remove user X from a protected group or a group that is a member of a protected group. What is left over? Permissions still reflect the config of the adminSDHolder, inheritance is not enabled and adminCount=1. (1) By querying known protected users, know protected groups and its members you know who is protected. By querying for adminCount=1 you get the protected users and the users who once were protected. From that list remove everyone that is protected. Left overs are sec. princ. who are not protected anymore but still have adminCount=1 (assuming nobody sets adminCount=1 just for fun ;-) ). Set adminCount=0, enable inheritance and revert permissions back to schema default. Possible issues here are if some programs/apps have set their own permissions on objects. You do not know what was previously there except for the schema defaulf perms. The same still aplies know when you need to do it manually, so there would not be much difference (2) OR just get everyone with adminCount=1 and check if it is a direct member of a protected group or an indirect member of a protected group (group nesting). If not set adminCount=0, enable inheritance and revert permissions back to schema default. just some euro thoughts ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Tue 2006-12-19 02:32 To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: � Replace the object�s security descriptor with that of the AdminSDHolder; � Disable permissions inheritance on the object; � Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder �orphans�. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] AdminSDHolder
Neal: Would you like to alter the list because you
would like to add your own custom groups/users to get controlled like that or do
you just want tojust change what is protected at
all?
joe: the
former
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 20 March 2006 21:27To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such asuser:FC to somefolks
with lesserpowers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL),inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want tojust change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and
RE: [ActiveDir] AdminSDHolder
OK thanks, I have made a note. I will bring it up when I am
with someone who could make a difference with it. I have also made a note in the
folder that has suggestions for future joeware and/or Deviant Software
tools/solutions.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Tuesday, March 21, 2006 3:16
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
Neal: Would you like to alter the list because you
would like to add your own custom groups/users to get controlled like that or do
you just want tojust change what is protected at
all?
joe: the
former
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 20 March 2006 21:27To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such asuser:FC to somefolks
with lesserpowers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL),inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want tojust change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does no
RE: [ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I never
see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present for
those groups?
Thanks and sorry again if this seems really stupid or
basic.PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such asuser:FC to somefolks
with lesserpowers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL),inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want tojust change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
RE: [ActiveDir] AdminSDHolder
Yes - sorry - didn't want to suggest doing that - just
wanted to outline how it works.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, March 20, 2006 10:27 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such asuser:FC to somefolks
with lesserpowers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL),inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want tojust change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if
it applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and
(by default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup
Operators are protected by the PDCE checking the ACL on the AdminSDHolder
object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of
this email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1)
is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and
do not necessarily represent those of NIplc; (3) is intended
for
informational purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A
4NP. A member of the Nomura group of companies.
[ActiveDir] AdminSDHolder
This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
RE: [ActiveDir] AdminSDHolder
Hi Tom, I do not fully understand what you mean. When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Wrong - MS does not say that the Operators are protected by the PDCE checking any ACL. The PDCE runs the process which ensures that the adminCount Attribut of members of those groups (+ others and accounts you havent mentioned) is 0, then it resets the Security-Descriptor to be the same as the AdminSdHolder-Process. You've never seen ACEs for AOs? Did you check a user, group, computer, inetorgperson or OU? Account Operators have the right to create child/delete child on OUs for Users, Groups, Computers, INetOrgPersons, and they also have Full Control on those Objects. Where are they listed? Security Tab How are they protected? See above What ACL is the PDCE checking to determine what perms should be present for those groups?No ACL, it's checking the groups, and resets the rights of their members. The adminCount Attribute is helper. In the thread before my blog about this was mentioned, I think it clarifies some stuff: http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 17, 2006 9:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
RE: [ActiveDir] AdminSDHolder
The SDPROP thread monitors groups/users that are considered "sensitive" and if the SD of one of those objects is not the same as what is on the adminSDHolder object, that SD is applied to the object. They are not specified in the ACL on the adminSDHolder object because they shouldn't have permissions over those sensitive objects. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 17, 2006 3:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
Re: [ActiveDir] AdminSDHolder
when you say if the SD of one of those objects is not the same as what is on the adminSDHolder object..., where on the adminSDHolder object are these values kept that help it determine the SD? Thanks On 3/17/06, joe [EMAIL PROTECTED] wrote: The SDPROP thread monitors groups/users that are considered sensitive and if the SD of one of those objects is not the same as what is on the adminSDHolder object, that SD is applied to the object. They are not specified in the ACL on the adminSDHolder object because they shouldn't have permissions over those sensitive objects. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, March 17, 2006 3:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
RE: [ActiveDir] AdminSDHolder
The securityDescriptor of the adminSdHolder is copied to be
the same as the securityDescriptor of the Object in Question. Just look at the
Security-Tab of both, they are the same. If you change to one of a protected
Object (adminCount 0) it will be reset to be the same within one
hour.
AdminSdHolder is a object which has IMHO no specific use,
just to hold a securityDescriptor to use as template.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom
KernSent: Saturday, March 18, 2006 1:26 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
AdminSDHolder
when you say " if the SD of one of those objects is not the same as what
is on the adminSDHolder object...", where on the adminSDHolder object are
these values kept that help it determine the SD?
Thanks
On 3/17/06, joe
[EMAIL PROTECTED]
wrote:
The
SDPROP thread monitors groups/users that are considered "sensitive" and if
the SD of one of those objects is not the same as what is on the
adminSDHolder object, that SD is applied to the object. They are not
specified in the ACL on the adminSDHolder object because they shouldn't have
permissions over those sensitive objects.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Tom
KernSent: Friday, March 17, 2006 3:24 PMTo:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup
Operators are protected by the PDCE checking the ACL on the AdminSDHolder
object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or
basic.
RE: [ActiveDir] AdminSDHolder
The SD of the adminSDHolder object is the nTSecurityDescriptor attribute of that object. It is in the System container of the domain in question. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, March 17, 2006 7:26 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AdminSDHolder when you say " if the SD of one of those objects is not the same as what is on the adminSDHolder object...", where on the adminSDHolder object are these values kept that help it determine the SD? Thanks On 3/17/06, joe [EMAIL PROTECTED] wrote: The SDPROP thread monitors groups/users that are considered "sensitive" and if the SD of one of those objects is not the same as what is on the adminSDHolder object, that SD is applied to the object. They are not specified in the ACL on the adminSDHolder object because they shouldn't have permissions over those sensitive objects. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, March 17, 2006 3:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder This may sound like a stupid question, but here goes- When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE. Where are they listed? How are they protected? What ACL is the PDCE checking to determine what perms should be present for those groups? Thanks and sorry again if this seems really stupid or basic.
[ActiveDir] Adminsdholder Propertiy Qustion...
Hello ;-) I had a strange issue yesterday. An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator do his job, and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option dûe to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adminsdholder Propertiy Qustion...
Hi, Have you seen Delegated permissions are not available and inheritance is automatically disabled (http://support.microsoft.com/?id=817433) This article describes how you can configure which default protected groups are protected or not by the adminsdholder object. Although possible I do not recommend it as there is more like I mention below. You are using the group print operators to manage printers, so this means your DCs are also print servers. Is this correct? Are you aware that the admin that manages the OU and its child objects (has Full Control) can log on to your DCs? That admin can change the password of the user that is a member of the print operators. After that he can use that user's credentials to log on to a DC. Why? By default print operators have ability to logon to DCs and do some stuff like shutting down the DC and load and unload device drivers (install printer drivers and others) I'm not sure if you already do it, but I recommend to distinguish between normal user accounts (to read mail, create documents, etc.) and admin accounts (to do all kinds of admin stuff). In my opinion each admin should logon to their workstation using their normal user account and do admin tasks using the RUNAS option. It is better however to have a separate workstation (or TS or Citrix) (protected like other servers) to do admin tasks. Using his normal workstation the admin user sets up a terminal session using RDP or ICA to the ADMIN workstation and does this things Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 2:39 PM Subject: [ActiveDir] Adminsdholder Propertiy Qustion... Hello ;-) I had a strange issue yesterday. An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator do his job, and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option dûe to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adminsdholder Propertiy Qustion...
Hi Jorge, WAAOOU ! Endeed i was not aware that print operators group was able to log on to my DCs and do task as reboot !! And yes,my DCs are also prints servers. maybe it's not good for security... but it's hard to convince my direction to buy a server ONLY for printers purposes. So i'd better review the best security practices as you suggested rather than playing with the adminsdhlder.. Thanks for your feedback. ;-) Regards, Yann Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Envoyé : dimanche 22 mai 2005 15:18 À : TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion... Hi, Have you seen Delegated permissions are not available and inheritance is automatically disabled (http://support.microsoft.com/?id=817433) This article describes how you can configure which default protected groups are protected or not by the adminsdholder object. Although possible I do not recommend it as there is more like I mention below. You are using the group print operators to manage printers, so this means your DCs are also print servers. Is this correct? Are you aware that the admin that manages the OU and its child objects (has Full Control) can log on to your DCs? That admin can change the password of the user that is a member of the print operators. After that he can use that user's credentials to log on to a DC. Why? By default print operators have ability to logon to DCs and do some stuff like shutting down the DC and load and unload device drivers (install printer drivers and others) I'm not sure if you already do it, but I recommend to distinguish between normal user accounts (to read mail, create documents, etc.) and admin accounts (to do all kinds of admin stuff). In my opinion each admin should logon to their workstation using their normal user account and do admin tasks using the RUNAS option. It is better however to have a separate workstation (or TS or Citrix) (protected like other servers) to do admin tasks. Using his normal workstation the admin user sets up a terminal session using RDP or ICA to the ADMIN workstation and does this things Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 2:39 PM Subject: [ActiveDir] Adminsdholder Propertiy Qustion... Hello ;-) I had a strange issue yesterday. An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator do his job, and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option dûe to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adminsdholder Propertiy Qustion...
For the sake of security you could move the print server role to other server(s) in your environment that are member servers. In this case you cannot use the print operators group if a member server is the print server. You need at least permissions to: * Create printer instances * Install printer drivers * Share printer instances * Manager the printer instances Or let the designated domain admins do those tasks I don't know how to configure this only. If a print admin is a member of the local admins group on the member server I'm sure he has enough power to manage printing on that member server... Maybe someone else on this list knows how to specifically delegate the print admin permissions as mentioned above on member servers with giving away the local admins group membership Cheers #JORGE# -Original Message- From: TIROA YANN To: Jorge de Almeida Pinto; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Sent: 5/22/2005 3:56 PM Subject: RE: [ActiveDir] Adminsdholder Propertiy Qustion... Hi Jorge, WAAOOU ! Endeed i was not aware that print operators group was able to log on to my DCs and do task as reboot !! And yes,my DCs are also prints servers. maybe it's not good for security... but it's hard to convince my direction to buy a server ONLY for printers purposes. So i'd better review the best security practices as you suggested rather than playing with the adminsdhlder.. Thanks for your feedback. ;-) Regards, Yann Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Envoyé : dimanche 22 mai 2005 15:18 À : TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion... Hi, Have you seen Delegated permissions are not available and inheritance is automatically disabled (http://support.microsoft.com/?id=817433) This article describes how you can configure which default protected groups are protected or not by the adminsdholder object. Although possible I do not recommend it as there is more like I mention below. You are using the group print operators to manage printers, so this means your DCs are also print servers. Is this correct? Are you aware that the admin that manages the OU and its child objects (has Full Control) can log on to your DCs? That admin can change the password of the user that is a member of the print operators. After that he can use that user's credentials to log on to a DC. Why? By default print operators have ability to logon to DCs and do some stuff like shutting down the DC and load and unload device drivers (install printer drivers and others) I'm not sure if you already do it, but I recommend to distinguish between normal user accounts (to read mail, create documents, etc.) and admin accounts (to do all kinds of admin stuff). In my opinion each admin should logon to their workstation using their normal user account and do admin tasks using the RUNAS option. It is better however to have a separate workstation (or TS or Citrix) (protected like other servers) to do admin tasks. Using his normal workstation the admin user sets up a terminal session using RDP or ICA to the ADMIN workstation and does this things Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 2:39 PM Subject: [ActiveDir] Adminsdholder Propertiy Qustion... Hello ;-) I had a strange issue yesterday. An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator do his job, and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option dûe to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] Adminsdholder Propertiy Qustion...
What I mentioned also applies to some other built-in groups... see also http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html #JORGE# -Original Message- From: TIROA YANN To: Jorge de Almeida Pinto; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Sent: 5/22/2005 3:56 PM Subject: RE: [ActiveDir] Adminsdholder Propertiy Qustion... Hi Jorge, WAAOOU ! Endeed i was not aware that print operators group was able to log on to my DCs and do task as reboot !! And yes,my DCs are also prints servers. maybe it's not good for security... but it's hard to convince my direction to buy a server ONLY for printers purposes. So i'd better review the best security practices as you suggested rather than playing with the adminsdhlder.. Thanks for your feedback. ;-) Regards, Yann Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Envoyé : dimanche 22 mai 2005 15:18 À : TIROA YANN; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion... Hi, Have you seen Delegated permissions are not available and inheritance is automatically disabled (http://support.microsoft.com/?id=817433) This article describes how you can configure which default protected groups are protected or not by the adminsdholder object. Although possible I do not recommend it as there is more like I mention below. You are using the group print operators to manage printers, so this means your DCs are also print servers. Is this correct? Are you aware that the admin that manages the OU and its child objects (has Full Control) can log on to your DCs? That admin can change the password of the user that is a member of the print operators. After that he can use that user's credentials to log on to a DC. Why? By default print operators have ability to logon to DCs and do some stuff like shutting down the DC and load and unload device drivers (install printer drivers and others) I'm not sure if you already do it, but I recommend to distinguish between normal user accounts (to read mail, create documents, etc.) and admin accounts (to do all kinds of admin stuff). In my opinion each admin should logon to their workstation using their normal user account and do admin tasks using the RUNAS option. It is better however to have a separate workstation (or TS or Citrix) (protected like other servers) to do admin tasks. Using his normal workstation the admin user sets up a terminal session using RDP or ICA to the ADMIN workstation and does this things Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 2:39 PM Subject: [ActiveDir] Adminsdholder Propertiy Qustion... Hello ;-) I had a strange issue yesterday. An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator do his job, and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option dûe to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material
RE : [ActiveDir] Adminsdholder Propertiy Qustion...
Title: RE: [ActiveDir] Adminsdholder Propertiy Qustion... Thanks for all the technical links, i've began to read "Delegated permissions are not available and inheritanceis automatically disabled", and il looks very interesting. with many workarounds concerning my needs.. Go now for http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html:-)) Regards,Yann De: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]Date: dim. 22/05/2005 16:26À: TIROA YANN; Jorge de Almeida Pinto; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion... What I mentioned also applies to some other built-in groups...see alsohttp://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html#JORGE#-Original Message-From: TIROA YANNTo: Jorge de Almeida Pinto; [EMAIL PROTECTED];ActiveDir@mail.activedir.orgSent: 5/22/2005 3:56 PMSubject: RE: [ActiveDir] Adminsdholder Propertiy Qustion...Hi Jorge,WAAOOU ! Endeed i was not aware that print operators group was able tolog on to my DCs and do task as reboot !!And yes,my DCs are also prints servers. maybe it's not good forsecurity... but it's hard to convince my direction to buy a server ONLYfor printers purposes.So i'd better review the best security practices as you suggested ratherthan "playing" with the adminsdhlder..Thanks for your feedback. ;-)Regards,YannCordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918.69622 Villeurbanne Cedex.-Message d'origine-De : Jorge de Almeida Pinto[mailto:[EMAIL PROTECTED]]Envoyé : dimanche 22 mai 2005 15:18À : TIROA YANN; '[EMAIL PROTECTED] ';'ActiveDir@mail.activedir.org 'Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion...Hi,Have you seen "Delegated permissions are not available and inheritanceis automatically disabled" (http://support.microsoft.com/?id=817433)This article describes how you can configure which default protectedgroups are protected or not by the adminsdholder object. Althoughpossible I do not recommend it as there is more like I mention below.You are using the group "print operators" to manage printers, so thismeans your DCs are also print servers. Is this correct?Are you aware that the admin that manages the OU and its child objects(has Full Control) can log on to your DCs?That admin can change the password of the user that is a member of theprint operators. After that he can use that user's credentials to log onto a DC.Why? By default print operators have ability to logon to DCs and do somestuff like shutting down the DC and load and unload device drivers(install printer drivers and others)I'm not sure if you already do it, but I recommend to distinguishbetween normal user accounts (to read mail, create documents, etc.) andadmin accounts (to do all kinds of admin stuff). In my opinion eachadmin should logon to their workstation using their normal user accountand do admin tasks using the RUNAS option. It is better however to havea separate workstation (or TS or Citrix) (protected like other servers)to do admin tasks. Using his normal workstation the admin user sets up aterminal session using RDP or ICA to the ADMIN workstation and does thisthingsCheers,#JORGE#-Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: 5/22/2005 2:39 PMSubject: [ActiveDir] Adminsdholder Propertiy Qustion...Hello ;-)I had a strange issue yesterday.An administrator who has full control(ct) of his OU and the childobjects, was not able to modify a user account properties or password.The security option of the user object shows that the admin was not onthe user object acl: the inheritance case that allows the parents toapply to this object ...was disabled !!After searching on the net, i have found that the adminsdholder wasresponsible for that. Endeed, user was member of print operators andthus is protected by adminsdholder throw his membershhip of thisprotected group.So i enabled the inheritance on the security option of the adminsdholderattribute, wait for less than 1 hour that PDCemulator "do his job", andchecked that user object has the inheritance case activated: that's wasOK and delegated admin was enjoyed ! :-)BUT, for my personnal interest, i think disabling the inheritance of theadminsdholder in not a good option dûe to security pruposes. So in thiscase, how can I just enabling inheritance of only this user acl withoutenabling it on the whole adminsdholder so the OU's admin have full ct onthe user object.I also would like the user to continue to be member of the printoperators.Thanks for your expert advices :o)NB: do not bother about my poor english writing and be indulgent 8-)Regards,YannList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/Lis
RE: [ActiveDir] AdminSDHolder and Default button
(1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AdminSDHolder and Default button
I can confirm what Jorge expects below - yes, all explicit permissions are removed and then the default from whatever is defined in the schema is set. You can script the resetting of permissions back to the default using the DSACLS.exe or ACLDiag.exe tools (I can't remember if only one of them or both have the /reset permission option) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Dienstag, 19. April 2005 10:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button (1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AdminSDHolder and Default button
Thanks Guido/Jorge As far as I know I should be fine with doing that as there shouldn't be any custom permissions set (I hope). But in any case, is that the recommended way of 'UNDO-ing' the adminsdholder restriction? Or is there a better way?... Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, April 20, 2005 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button I can confirm what Jorge expects below - yes, all explicit permissions are removed and then the default from whatever is defined in the schema is set. You can script the resetting of permissions back to the default using the DSACLS.exe or ACLDiag.exe tools (I can't remember if only one of them or both have the /reset permission option) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Dienstag, 19. April 2005 10:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder and Default button (1) I expect the default permissions to REPLACE all existing permissions, because otherwise the DEFAULT buttonb would be meaningless (2) The DEFAULT button reads the security descriptor in the schema for that particular object and places that onto the object and it enables the allow inherit from parent flag. Have checked Microsoft Scriptcenter For a script to reset the ADMINCOUNT = 1 to ADMINCOUNT = 0 see MS-KBQ817433 Delegated permissions are not available and inheritance is automatically disabled Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: dinsdag 19 april 2005 3:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AdminSDHolder and Default button Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AdminSDHolder and Default button
Hi all, If a user used to be a member of Account Operators group (affected by AdminSDHolder permissions) and has left that group - it is found that the permissions are not set back to default. Hence this user will have a very restrictive settings on itself and other members of account operators will not have rights over this username (eventhough it is no longer a member of that group). In Win2003 there's a button Default - user properties - security - advanced - DEFAULT. Description is set to replace all permission entries with the default setting. I've enabled this on a couple of accounts and seems to work expectedly. Question: 1) Does default removes any explicitly defined ACL on the user accounts? (I sure hope not). 2) How do I script this default function? Is this an attribute or something within the object itself? I have quite a few users that needs its permissions to be 'resetted' Thanks! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
