Share via

AdminCount 1 but permissions inheriting

Joshua Reynolds 0 Reputation points
2025-04-22T00:07:45.25+00:00

Slightly weird one here:
I know when admin account is set to 1 it is supposed to disable inheritance and set the permissions to that of the 'CN=AdminSDHolder,CN=System' container. When researching there a streams of sites talking about this, however I have the opposite issue I have a number of accounts and groups flagged but they seem to be inheriting permissions of their parent OUs, which as lead to delegated accounts being able to modify membership to groups like Domain Admins. Has anyone come across this before or know what I should be looking at to find out why it may be allowing inheritance on protected accounts

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,956 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Geoff McKenzie 860 Reputation points
    2025-04-22T06:07:51.78+00:00

    Hi Joshua,

    A few Items to consider.

    1. PDCe FSMO roll holder is the one server that looks after ensuring protected objects have the AdminSDHolder permissions set, I assume your PDCe is working correctly.
    2. The AdminCount attribute value is an indicator that the object WAS a protected object at some point in the past. i.e. if a user is added to domain admins then they become a protected user (AdminCount =1). But, If you remove the user from all 'admin' or 'protected' groups then AD does NOT remove the AdminCount = 1 value. You have to do that manually if it is important to you.

    So, The background process on the PDCe, evaluates all members of protected groups and applies the AdminSDHolder's permissions to all members which do not currently match that security descriptor. It does not appear to use the AdminCount value as a guide anymore, it just changes it to 1 if it is set to 0 on an object that it has changed. It doesn't change it back to 0 when an object is not longer in scope (i.e. removed from the group).

    Here are some references.

    https://techcommunity.microsoft.com/blog/askds/five-common-questions-about-adminsdholder-and-sdprop/396293

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory
    https://secureidentity.se/adminsdholder-pitfalls-and-misunderstandings/

    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/dd3d29f3-8e1e-4e8c-a210-9eaef3abd628

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/reducing-the-active-directory-attack-surface

    This one is new to me - looks like you can exclude some groups - Definately fits in the category of check everything and test it thrice ;-)

    https://petri.com/active-directory-security-understanding-adminsdholder-object/

    HTH

    Regards

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.