|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
AdminSDHolder - in laymen's terms is that the thing that resets default permissions on all built-inAdminSDHolder - in laymen's terms is that the thing that resets default
permissions on all built-in groups? -- Spin It isn't the thing that does it, but it is the container that holds the SD
that the users in those groups are bounced back to when someone tries to change their SD. I'm not sure what process actually does the polling for the objects whose SDs change and reverts them. Joe K. Show quoteHide quote "Spin" <S***@spin.com> wrote in message news:46rtg3Fceut4U1@individual.net... > AdminSDHolder - in laymen's terms is that the thing that resets default > permissions on all built-in groups? > > -- > Spin > > Joe is right. the adminsdholder is considered the "admin security descriptor
holder" which is a reference object for the protected objects (default admin users and admin groups and their members!) Every hour, the Microsoft Windows domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACLs on members of these administrative groups and compares them to the ACL on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACLs on the members of the administrative group are reset to match the ACL on the AdminSDHolder object. For more info on the ADMINSDHOLDER object see the following related KB articles (not all may apply to your situation!) Description and Update of the Active Directory AdminSDHolder Object --> MS-KBQ232199 (http://support.microsoft.com/?id=232199) AdminSDHolder Thread Affects Transitive Members of Distribution Groups --> MS-KBQ318180 (http://support.microsoft.com/?id=318180) Delegated permissions are not available and inheritance is automatically disabled --> MS-KBQ817433 (http://support.microsoft.com/?id=817433) AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts --> MS-KBQ306398 (http://support.microsoft.com/?id=306398) Security tab of the adminSDHolder object does not display all properties --> MS-KBQ301188 (http://support.microsoft.com/?id=301188) "You do not have sufficient permissions in the Domain" error message occurs and Exchange Setup does not respond --> MS-KBQ319966 (http://support.microsoft.com/?id=319966) Certification Authority configuration to publish certificates in Active Directory of trusted domain --> MS-KBQ281271 (http://support.microsoft.com/?id=281271) -- Show quoteHide quoteCheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Windows Server - Directory Services BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ----------------------------------------------------------------------------- * This posting is provided "AS IS" with no warranties and confers no rights! * Always test before implementing! ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- "Joe Kaplan (MVP - ADSI)" <joseph.e.kap***@removethis.accenture.com> wrote in message news:%23Rc3SFxPGHA.720@TK2MSFTNGP14.phx.gbl... > It isn't the thing that does it, but it is the container that holds the SD > that the users in those groups are bounced back to when someone tries to > change their SD. > > I'm not sure what process actually does the polling for the objects whose > SDs change and reverts them. > > Joe K. > > "Spin" <S***@spin.com> wrote in message > news:46rtg3Fceut4U1@individual.net... >> AdminSDHolder - in laymen's terms is that the thing that resets default >> permissions on all built-in groups? >> >> -- >> Spin >> >> > > I've documented it here:
-- http://www.msresource.net/content/view/38/46/ The thread that runs on the hour is inside LSASS. I forget the exact details, something like DS Propagator. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Nicely written.
AdminSDHolder is the template for which the ACLs should be on the Protected Groups. For all else reading this, these are the Protected groups (and not necessarily the built-in ones, some are, some aren't): a.. Administrators a.. Account Operators a.. Backup Operators a.. Cert Publishers a.. Domain Admins a.. Enterprise Admins a.. Print Operators a.. Schema Admins a.. Server Operators -- Show quoteHide quoteSpin "Paul Williams [MVP]" <ptw2***@hotmail.com> wrote in message news:%23oVfls3PGHA.3984@TK2MSFTNGP14.phx.gbl... > I've documented it here: > -- http://www.msresource.net/content/view/38/46/ > > > The thread that runs on the hour is inside LSASS. I forget the exact > details, something like DS Propagator. > > -- > Paul Williams > Microsoft MVP - Windows Server - Directory Services > http://www.msresource.net | http://forums.msresource.net > > Close Paul.... SDPROP
-- Show quoteHide quoteJoe Richards Microsoft MVP Windows Server Directory Services Author of O'Reilly Active Directory Third Edition www.joeware.net ---O'Reilly Active Directory Third Edition now available--- http://www.joeware.net/win/ad3e.htm Paul Williams [MVP] wrote: > I've documented it here: > -- http://www.msresource.net/content/view/38/46/ > > > The thread that runs on the hour is inside LSASS. I forget the exact > details, something like DS Propagator. > Ah, nice. Thanks Joe. I'll note that down and try and update that article
with this info. Thanks! -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net 
Other interesting topics
|
|||||||||||||||||||||||
