How to delegate permissions on AdminSDHolder users???

Question

Hi,

I was wondering how to delegate permissions on AdminSDHolder users??? I found out that some of the accounts are protected by ADMINSHOLDER, but don't really get how to do it. Examples of those accounts would be: Admins, KRBTGT and more:
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
Thanks for any clue!

Answer 1

Hi,

The SDprop process is the responsible to protect the ACLs of protected account by disabling the inheriting and applying the ACL template of AdminSDHolder on protected objects. This Process run automatically evevry 60 min by minute.

To know if a account is protected or not by this process , you can check the value of the attribute AdminCount.

To get more details about this process , I invite you to read this article:

appendix-c--protected-accounts-and-groups-in-active-directory

Please don't forget to mark this reply as answer if it help you to fix your issue

Answer 2

Hi,
Would you please tell what permissions do you want to delegate?
As Thameur mentioned above :the SDprop process is the responsible to protect the ACLs of protected account by disabling the inheriting and applying the ACL template of AdminSDHolder on protected objects. This Process run automatically evevry 60 min by minute.

If you want to delegate permission through Delegation of Control wizard, even if you delegate permission to the account, the SDprop process will apply the ACL template of AdminSDHolder on protected objects.

Or you want to Enabling inheritance on the adminSDHolder container,but one of the two protective access control list (ACL) mechanisms is disabled.(not recommended)
Or change security on the adminSDHolder container directory.(not recommended)

Best Regards,