AdminSdHolders

Hello TomaszBielen

You can use this powershell script to return the users that have an adminCount greater than 0, which means that they are affected by the adminSDHolder feature. You'll need the AD Module for PowerShell installed, which comes with RSAT.

import-module activedirectory

get-aduser -Filter {admincount -gt 0} -Properties adminCount -ResultSetSize $null

--If the reply is helpful, please Upvote and Accept as answer--

@Tomasz Bielen It's a little unclear what you're looking to accomplish. You wrote:

...working on cleaning AdminSdHolders I have a forest with a lot of domains and I would like to get all users/servers/service accounts who have any kind of access on AdminSdHolders on each domain.

Are (or were) you attempting to clean up the AdminSDHolder template or clean up Forest privileged accounts that are protected by AdminSDHolder?

First off, it would be a mistake to solely rely on the AdminCount attribute value to determine whether a privileged account is being protected by AdminSDHolder (SDProp). This is the lazy way. Relying on this (as inferred above) could easily produce false positives in determining whether an account is privileged (rookie mistake).

I suggest reading this MS article covering AdminSDHolder & SDProp - then play around with the behavior (it's not quite so Boolean as one might think).

Depending on the number of Domains within a Forest, determining what is/isn't privileged can become increasingly difficult (e.g. nestings within nestings, etc.)

Two scenarios you'll be facing. Whether an account is added and remains and/or is subsequently removed from a built-in privileged group, an obviously surefire indicator for both instances are the ACLs inherence is disabled and AdminCount reflects a value of 1.

In one scenario, where an account is added and remains a member of one or more privileged group, it is protected by AdminSDHolder.

In another scenario, where an account is added, then subsequently removed from all privileged groups, it also remains protected by AdminSDHolder.

Both accounts will also have their AdminCount set to a value of 1. Note: It is however best practices to retire any account that has been added/removed from any privileged group.

The AdminCount value can also manually be cleared. Once SDProp run again (default 60 mins), you'll have a relatively good idea by reviewing AdminCount which accounts are privileged.

Here's a rough script which also combs through a Forest (each domain) and provides a readout of all actual privileged users.

Hope this helps bro!

https://github.com/PepsiJuror/DTS__PS_ActiveDirectory/tree/main/AD_Privileged

Hi @Tomasz Bielen

Have a look at this option in NetTools, it should provide the report you are looking for.

https://nettools.net/sdprop/

Gary.

You can identify the objects protected by AdminSDHolder by looking at the attribute "adminCount".

22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx

Use the Get-ADForest cmdlet to find all the domains in your forest. Use the Get-ADDomainController cmdlet to find a DC in each domain.