Clear adminCount and Enable Inheritance on User

Users in Active Directory that belong to factory default privileged groups will be protected by an hourly process called SDProp (Security Descriptor Propagator) on the Primary Domain Controller (PDC Emulator). This process sets the adminCount attribute to 1 and disables inheritance on the user object in the directory. It also applies access control list (ACL) rules to the object from the AdminSDHolder template defined in the directory.

If you want to re-enable permissions inheritance that has been protected by SDProp / AdminSDHolder, you will need to do something like the following.

  • Remove the user from all protected groups (factory default privileged groups in the directory like Domain Admins, Server Operators, Print Operators, Account Operators, Backup Operators, etc. NOTE that protected group membership can be inherited when one group is a member of another nested group.
  • Clear the adminCount property on the User object (either set to 0, or unset the property completely)
  • Re-enable inheritance on the User object
  • Wait an hour or two and then verify that the adminCount and blocked inheritance are not later re-applied by the domain SDProp service.

Here is a script in PowerShell that will take a CSV of usernames and clear adminCount plus re-enable inheritance on each user object for you. It will also report on the groups these user accounts belong to – search it for any protected groups.

Code search keywords: Get-AdUser, ntSecurityDescriptor, ObjectSecurity.SetAccessRuleProtection, ObjectSecurity.AreAccessRulesProtected, Get-ADPrincipalGroupMembership, SamAccountName, adminCount, Set-AdUser, Replace, Clear

This post has been inspired by the following:

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s