Microsoft KB Archive/301188

= Security tab of the adminSDHolder object does not display all properties =

Article ID: 301188

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q301188



SYMPTOMS
When you view the Access Control List (ACL) on the Security tab of the AdminSDholder object properties in the Active Directory Users and Computers snap-in or ADSI Edit tool, you are unable to configure fields that are associated with user accounts or groups.

Advanced fields, such as, Change Password, Reset Password, Receive As, and Send As are not displayed, as expected.



CAUSE
This behavior can occur because the AdminSDHolder object is a container object that is used only as a template to store permissions. Even though the permissions that are applied to it are intended to be applied to the user or group objects, the ACL editor only displays the access control entries (ACEs) for the type of object that it is currently editing (the container object).



RESOLUTION
Modify the permissions of this object through the Dsacls.exe utility or a write an ADSI script.

For additional information about how to install the Dsacls.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:

301423 How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

For more information on ADSI, search for this topic on the following Microsoft Web site:

http://msdn.microsoft.com



STATUS
This behavior is by design.



MORE INFORMATION
The AdminSDHolder container object is a template that holds a set of permissions that are applied to accounts that are members of the built-in Administrators or Domain Administrators groups. These permissions are applied at regular intervals. The regular application of permissions on the users in the Administrators group is a security feature designed to maintain consistent permissions on those user accounts. The AdminSDHolder container object can be located in Active Directory at the following location:

CN=adminSDHolder,CN=System,DC= ,DC=

Note In a Microsoft Windows Server 2003-based Active Directory domain, the Administrators group object also receives the same permissions.

For additional information about the adminSDHolder object and samples of the Dsacls command, click the following article number to view the article in the Microsoft Knowledge Base:

232199 Description and update of Active Directory AdminSDHolder object

Additional query words: DSA.MSC

Keywords: kbprb KB301188

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.