Delegation Permission Rolling back after 1 Hour - Windows 2012 r2 Domain Controller

asked 2020-08-24T13:48:45.007+00:00
Mohsin Sabir 1 Reputation point

Related to delegation permissions for helpdesk. I have removed the helpdesk from domain admins group as a process to cleanup. Delegation is in place and I am noticing that some of the users permissions revert back and they are not able to perform their tasks such as move users/computers around to various OUs etc. Then I have to enable inheritance on their account and it works for an hour.

How can I find out if these users are part of any protected groups?

reference:
https://community.spiceworks.com/topic/1460024-ad-unlock-group-for-account-delegation-was-working-but-recently-stopped
https://www.cbfive.com/adminsdholder-permissions-propagate-protected-accounts-deligation-issue/

Thank you

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,142 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2020-08-25T00:14:58.367+00:00
    Fan Fan 15,041 Reputation points

    Hi,
    If the adminCount attribute on a user is set to 1, we can assume it is (or was at some point in the past) a member of a protected group and affected by the AdminSDHolder role.
    You can check the adminCount attribute on a user in ADUC (with advanced features enabled) or ADSIEdit.

    Or use a powershelll command to get the list of all protected groups in an Active Directory Domain :
    Get-ADGroup –LDAPFilter “(admincount=1)”

    Based on my research, if you wan to prevent a a user or a group from being affected from the protected groups, you must remove them from the protected groups and you must manually set back to allowing inheritance and set AdminCount to 0, usually through ADSI.
    19939-8251.jpg

    Following links for your reference:

    https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
    https://learn.microsoft.com/en-us/archive/blogs/askds/five-common-questions-about-adminsdholder-and-sdprop