Delegation Permission Rolling back after 1 Hour - Windows 2012 r2 Domain Controller

Mohsin Sabir 1 Reputation point
2020-08-24T13:48:45.007+00:00

Related to delegation permissions for helpdesk. I have removed the helpdesk from domain admins group as a process to cleanup. Delegation is in place and I am noticing that some of the users permissions revert back and they are not able to perform their tasks such as move users/computers around to various OUs etc. Then I have to enable inheritance on their account and it works for an hour.

How can I find out if these users are part of any protected groups?

reference:
https://community.spiceworks.com/topic/1460024-ad-unlock-group-for-account-delegation-was-working-but-recently-stopped
https://www.cbfive.com/adminsdholder-permissions-propagate-protected-accounts-deligation-issue/

Thank you

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
1,044 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2020-08-25T00:14:58.367+00:00

    Hi,
    If the adminCount attribute on a user is set to 1, we can assume it is (or was at some point in the past) a member of a protected group and affected by the AdminSDHolder role.
    You can check the adminCount attribute on a user in ADUC (with advanced features enabled) or ADSIEdit.

    Or use a powershelll command to get the list of all protected groups in an Active Directory Domain :
    Get-ADGroup –LDAPFilter “(admincount=1)”

    Based on my research, if you wan to prevent a a user or a group from being affected from the protected groups, you must remove them from the protected groups and you must manually set back to allowing inheritance and set AdminCount to 0, usually through ADSI.
    19939-8251.jpg

    Following links for your reference:

    https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
    https://learn.microsoft.com/en-us/archive/blogs/askds/five-common-questions-about-adminsdholder-and-sdprop


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.