Changing the Security Descriptor on AdminSDHolder

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

The security descriptor on AdminSDHolder serves two purposes. First, it controls access to the AdminSDHolder object itself. Second, it acts as the master security descriptor that is periodically applied to the service administrator accounts and their members to ensure that they remain protected.

Requirements

• Credentials: Domain Admins

• Tools: Active Directory Users and Computers

To change the security descriptor on AdminSDHolder

1. Log on with Domain Admins credentials, and then open Active Directory Users and Computers.

2. On the View menu, click Advanced Features.

3. In the console tree, click the System container.

4. In the details pane, right-click AdminSDHolder, and then click Properties.

5. On the Security tab, modify the security descriptor by changing the settings as specified in Table 39.