Delegating Permssion to the AdminSDHolder Object

Question

Delegating Permssion to the AdminSDHolder Object

Anonymous

Hi There,

I've been asked to grant our identity management system the rights to set the AccountExpires attribute on Domain admin accounts (i'm still not sure this is a good idea in itself but i need to at least try).

I have delegated a group, to which my service account is a member, the permission to write to that property on the AdminSDHolder object using "DSACLS 'cn=adminSDholder,cn=system,dc=domain,dc=com' /I:S /G $sGrp":WP;accountExpires;user" and waited for the SDprop process to kick in, and I can see the delegation has been picked up on individual domain admin accounts.

However, when I attempt to update the accountExpires value using either "set-aduser -Identity samAccountName -AccountExpirationDate $date" or "Set-ADAccountExpiration -Identity samAccountName -DateTime "30/04/24"" I'm still getting an "Insufficient access rights" error.

Is what I'm doing the correct way to achieve my goal?

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

7 answers

Answer 1

Hello broonster27,

Thank you for posting in Microsoft Community forum.

You can try to give service account to write to the property on the AdminSDHolder object via GUI manually and check if it helps.

If it helps, maybe you did not give the permission successfully using "DSACLS 'cn=adminSDholder,cn=system,dc=domain,dc=com' /I:S /G $sGrp":WP;accountExpires;user".

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Anonymous

But you can see in the screen shot the permissions have been granted to the object correctly.

Answer 3

Hello broonster27,

Good day!

From the description you mentioned below, it seems the service account have no specific permissions.
when I attempt to update the accountExpires value using either "set-aduser -Identity samAccountName -AccountExpirationDate $date" or "Set-ADAccountExpiration -Identity samAccountName -DateTime "30/04/24"" I'm still getting an "Insufficient access rights" error.

You can check if this group with service account (or this service account) has all the permissions you want via GUI.

Right click one AdminSDHolder object and select Properties and Security tab,Advanced Security Settings\Effective Access\select a user (type this service account or this group)

Click "View Effective Access" button.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 4

I used the GUI to grant the same permissions and I'm still getting the access denied error. Also after the using the GUI the exact same permissions are assigned as when I was using DSACLS.

I tried using the effective access tab but the "Account Expires" attribute is not exposed to the GUI.

Answer 5

Hello broonster27,

Good day!

I tried using the effective access tab but the "Account Expires" attribute is not exposed to the GUI.
A: I can see the "AccountExpires" attribute on user Attribute Editor. Do you check it via right click one of Domain admin accounts.
![](https://filestore.community.support.microsoft.com/api/images/806ebb1c-335a-496d-8ddc-c2a1f8ae9870?upload=true&fud_access=wJJIheezUklbAN2ppeDns8cDNpYs3nCYjgitr%2BfFBh2dqlqMuW7np3F6Utp%2FKMltnRRYFtVjOMO5tpbpW9UyRAwvLeec5emAPixgq9ta07Dgnp2aq5eJbnfd%2FU3qhn54Ui9c7IY3%2BVaDGM794ieFEWFOTytTrMKy7m1XQpeIKlfhHZvv6qxFNypZh8EVO%2BjzMgLRnj7SrY%2FjVoV7qs8fDiK994oMxVrhrFAMYDcU%2FzqJA6WA9asuV%2BRudsY1nsjw0TRv06Cz0rCOp%2BEWRZbJtyePDkAeyERCI4qOr3zxADDMFqMYLVf5B2l%2FGrOtoOB4DZ9pjQxSXTu0oeVGp%2Ftl7j7UHNV2V3ZOSHU4sl%2BGpYX%2FF7QHViq3au9bE0fV2dbxACF%2FqIf4TaHRdVXSJU2z4vaS2tKim9sDsXmUYCka%2FdU%3D)

Best Regards,
Daisy Zhou

Share via

Delegating Permssion to the AdminSDHolder Object

7 answers