Delegation Permission Rolling back after 1 Hour - Windows 2012 r2 Domain Controller

Question

Related to delegation permissions for helpdesk. I have removed the helpdesk from domain admins group as a process to cleanup. Delegation is in place and I am noticing that some of the users permissions revert back and they are not able to perform their tasks such as move users/computers around to various OUs etc. Then I have to enable inheritance on their account and it works for an hour.

How can I find out if these users are part of any protected groups?

reference:
https://community.spiceworks.com/topic/1460024-ad-unlock-group-for-account-delegation-was-working-but-recently-stopped
https://www.cbfive.com/adminsdholder-permissions-propagate-protected-accounts-deligation-issue/

Thank you

Answer 1

Hi,
If the adminCount attribute on a user is set to 1, we can assume it is (or was at some point in the past) a member of a protected group and affected by the AdminSDHolder role.
You can check the adminCount attribute on a user in ADUC (with advanced features enabled) or ADSIEdit.

Or use a powershelll command to get the list of all protected groups in an Active Directory Domain :
Get-ADGroup –LDAPFilter “(admincount=1)”

Based on my research, if you wan to prevent a a user or a group from being affected from the protected groups, you must remove them from the protected groups and you must manually set back to allowing inheritance and set AdminCount to 0, usually through ADSI.

Following links for your reference:

https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
https://learn.microsoft.com/en-us/archive/blogs/askds/five-common-questions-about-adminsdholder-and-sdprop