http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspxNed here again. After a few years of supporting Active Directory, nearly everyone runs into an issue with AdminSdHolder . This object and its AD worker code is used by Domain Controllers to protect high-privilege accounts from inadvertent modificationen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3239175Mon, 11 May 2009 23:40:38 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3239175AmyPadgett<p>I've wrestled with this issue for a number of years. &nbsp;I finally wrote up a tongue-in-cheek blog about it as a way to avoid a murder charge.</p> <p><a rel="nofollow" target="_new" href="http://enterpriseadminanon.blogspot.com/">http://enterpriseadminanon.blogspot.com/</a></p> <p>Enjoy--Amy</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3239175" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3239174Mon, 11 May 2009 23:40:12 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3239174AmyPadgett<p>I've wrestled with this issue for a number of years. &nbsp;I finally wrote up a tongue-in-cheek blog about it as a way to avoid a murder charge.</p> <p><a rel="nofollow" target="_new" href="http://enterpriseadminanon.blogspot.com/">http://enterpriseadminanon.blogspot.com/</a></p> <p>Enjoy--Amy</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3239174" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3237666Fri, 08 May 2009 16:59:19 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3237666NedPyle [MSFT]<p>Yep, I cannot get it to flip with just AdminCount=1 anymore. Nice catch Tony, I've updated that piece as well.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3237666" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3237647Fri, 08 May 2009 16:17:13 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3237647NedPyle [MSFT]<p>You are right about SDPROP - I was trying to oversimplify here without going into the actual undocumented worker that makes up AdminSDholder, but ended up making it sound like they were one in the same - in reality they are related, but only in passing. I've tweaked the article a bit to make more sense, let me know what you think.</p> <p>I'm trying out the AdminCount part right now in a repro. From looking at source code (rather than trusting an internal doc), I am beginning to suspect that you are right - once upon a time this might have been the case, but no longer since at least 2003. I'll change that part too if needed.</p> <p>Thanks Tony!</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3237647" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3237640Fri, 08 May 2009 16:06:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3237640Mike Kline<p>Another good article Ned, I always wondered why the decision was made not to &quot;decrement&quot; AdminCount. &nbsp;I see people on certain newsgroups confused because the accounts are no longer in a protected group.</p> <p>Another good blog entry on this subject is from Ulf Simon</p> <p><a rel="nofollow" target="_new" href="http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx">http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx</a></p> <p>Thanks</p> <p>Mike</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3237640" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3237352Fri, 08 May 2009 06:33:35 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3237352murrato1<p>Hi Ned</p> <p>Thanks for posting the article. &nbsp;This an area that can, as you indicate, cause much confusion. &nbsp;Just a couple of comments.</p> <p>1. &nbsp;My understanding is that task that does the AdminSDHolder protection evaluation and sets the security descriptor on protected objects is not in fact SDPROP. &nbsp;As far as I know there is no clear name for the task - I just call it &quot;the AdminSDHolder task.&quot; &nbsp;Whenever a change is made to an object's security descriptor, SDPROP is invoked simply to propagate the changes to child objects. &nbsp;In other words when objects are first protected by the AdminSDHolder task SDPROP is invoked, but doesn't really change anything (unless of course the object has child objects). </p> <p>This based on my understanding from an email conversation I had with someone knowledgeable a while back, so I could be wrong.</p> <p>2. You say...&quot;since it's assumed that regardless of group membership, AdminCount being 1 should trigger protection.&quot; &nbsp;This does not appear to be the case. &nbsp;If I set the adminCount value to 1 on an unprotected object it does not become protected on the next (hourly) cycle.</p> <p>Tony</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3237352" width="1" height="1">http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx#3237235Fri, 08 May 2009 02:05:14 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3237235Ask the Directory Services Team : Five common questions about &#8230; | Webmaster Tools<p>PingBack from <a rel="nofollow" target="_new" href="http://www.netdeluxo.com/blog/blogs/ask-the-directory-services-team-five-common-questions-about/">http://www.netdeluxo.com/blog/blogs/ask-the-directory-services-team-five-common-questions-about/</a></p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3237235" width="1" height="1">