AdminSDHolder - or where did my permissions go?

Exchange 2010 RC touches AdminSDHolder

Directory Services/Active Directory — Wed, 09 Sep 2009 07:51:50 GMT

I was just pointed to the blog of David Loder who’s pointing out that the Release Candidate of Exchange

http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx — Sun, 16 Mar 2008 20:26:55 GMT

Pingback from msmvps.com/.../49659.aspx

MAPI problems on a BES server - BlackBerryForums.com : Your Number One BlackBerry Community

Wed, 23 Jan 2008 15:49:41 GMT

Pingback from MAPI problems on a BES server - BlackBerryForums.com : Your Number One BlackBerry Community

My devices just won't sync properly - BlackBerryForums.com : Your Number One BlackBerry Community

Wed, 15 Aug 2007 11:35:00 GMT

Pingback from My devices just won't sync properly - BlackBerryForums.com : Your Number One BlackBerry Community

"send as" permission keeps unsetting - BlackBerryForums.com : Your Number One BlackBerry Community

Wed, 15 Aug 2007 11:25:24 GMT

Pingback from "send as" permission keeps unsetting - BlackBerryForums.com : Your Number One BlackBerry Community

a street called straight » Blog Archive » Blackberry Enterprise Server / AdminSDHolder

Tue, 10 Jul 2007 17:43:50 GMT

Pingback from a street called straight » Blog Archive » Blackberry Enterprise Server / AdminSDHolder

Issue activating blackberry for returning user - BlackBerryForums.com : Your Number One BlackBerry Community

Tue, 03 Jul 2007 01:25:33 GMT

Pingback from Issue activating blackberry for returning user - BlackBerryForums.com : Your Number One BlackBerry Community

Unable to Send email - BlackBerryForums.com : Your Number One BlackBerry Community

Fri, 15 Jun 2007 00:52:28 GMT

Pingback from Unable to Send email - BlackBerryForums.com : Your Number One BlackBerry Community

There has to be a better way! - BlackBerryForums.com : Your Number One BlackBerry Community

Fri, 08 Jun 2007 04:08:35 GMT

Pingback from There has to be a better way! - BlackBerryForums.com : Your Number One BlackBerry Community

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Thu, 01 Sep 2005 21:33:00 GMT

Thanks for the quick reply Ulf...
However, one of the users that is not inheriting permissions is only a member of All Users and Domain Users; no other groups. All Users is the universal distribution group. There are other users that are members of these groups and more that she can make changes to, but not this one. It is not inheriting permissions that would give her the rights to make those changes. KB817433 describes this issue. I got the patch from Microsoft and applied it, but have yet to see any changes.

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Thu, 01 Sep 2005 13:42:00 GMT

Hi Adam,

it does not depend where your helpdesk user is a member of, it depends on where the accounts she tries to manage are members of. You can memberships of one of those "unmanageable" users with "whoami /all" on their desktop while they are logged in. Be carefull b/c even recursive memberships through a distribution group count but will not show via whoami.

You can also check the adminCount attribute of those users, if it's higher than 0 then they are underneath one of the protected groups.

Ulf

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Thu, 01 Sep 2005 13:40:00 GMT

Hi Athif,

if you refer to the script in KB 817433 it only resets inheritance if the adminCount is 0. That means only users are affected which have been previously in one of the administrative protected groups.

Ulf

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Wed, 31 Aug 2005 22:52:00 GMT

I am having the same issue, excpet the users that are not inheriting permissions are not members of any admin group. They actually are just random members of different OU's, with no common denominator. The way that I discovered this issue was that one of our helpdesk employees, who is not a member of an admin group, can make changes on most of the user accounts, but some she cannot. When I checked on it, the group she is a member of is not located on the security tab of these users and the permissions are not inheriting, while 95% of the other users in these same OU's are inheriting. Make sense?

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Sat, 27 Aug 2005 13:57:00 GMT

Hi Simon,
Can you explain, what happens if the script as you mentioned is run on DC=domain, DC=com and contains some users who are part of the protected groups aka memeber of Adminstrators group. Will it ignore these or ???

Please email me Md DOT AthifKhaleel AT MVPS.ORG

Thanks
Mohammed Athif Khaleel
MVP - SUS / WSUS
Blog http://msmvps.com/athif/

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Tue, 05 Jul 2005 00:12:00 GMT

Hi Athif,

thanks for the feedback. To clarify, the procedure you described is for the issue mentioned in my blog under "What else is important to know", Number 2:
<i>"Users, which are removed out of one of the protected groups (or their nested groups) do not inherit permissions from parent objects. You need to check the box to inherit permissions when removing those users out of the group manually, or use a script to check your users."</i>

It will not work on users which are still in one of the protected group - there it will be reset after one hour again.

There's also a script in http://support.microsoft.com/kb/817433 underneath "Workaround, Method 1" which does enable the inheritance on all users in a domain with admincount=0 (AKA users formerly belonged to one of the protected groups).

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Mon, 04 Jul 2005 14:54:00 GMT

Excellent blog post. In short, to resolve this issue on the user object which cannot be managed by the delegated user account, you need to; Right-click the object, click Properties, and then click the Security tab (Advanced) Check the option, "Allow Inheritable Permission from Parent".

Note: It may take at least an hour for the changes to be propogated from the PDC as defined on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\AdminSDProtectFrequency

This behavior is to protect the "protected groups" in AD like those who are member for Domain Admins or Bulit-in Groups.

Good day,
Mohammed Athif Khaleel
MVP - SUS / WSUS
I Blog on http://msmvps.com/athif/

re: AdminSDHolder - or where did my permissions go?

Ulf B. Simon-Weidner — Thu, 02 Jun 2005 16:23:00 GMT

Hi Ulf,

tja, wir sind da auch gerade reingelaufen! Bestimmte User hatten das "inheritance" flag nicht gesetzt und auch die Rechte der OU nicht übernommen. Wir haben ein VBScript geschrieben, dass das Inheritance-Flag wieder setzt, aber nach einer Weile war das Flag wieder verloren und die Rechte nicht so, wie sie sein sollten. Zuerst kam ich nicht auf den "SDProp" threat, weil die betroffenen User keine besonderen sind und auch keine DIREKTE Mitgliedschaft in einer der geschützten Gruppen haben.
Die Frage konzentrierte sich dann darauf: wie bekomme ich eine vollständige Liste aller direkten UND indirekten Gruppenmitgleidschaften? Ich habe hier den Group Policy Modelling Wizard laufen lassen, der dir u.a. auch eine vollständige Liste all dieser Gruppen ausgibt. Und siehe da: die betroffenen User waren alle indirekte Mitglieder in "Account Operators", was bei einigen gar nicht der Fall sein sollte. Für die anderen Fälle haben wir es so gelöst, dass wir die entsprechenden Rechte auf dem "AdminSDHolder" Container gesetzt haben.

Viele Grüsse...Stefan