Microsoft KB Archive/232199

= Description and Update of the Active Directory AdminSDHolder Object =

Article ID: 232199

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q232199





SUMMARY
The information in this article applies only to upgrading from Windows 2000 RC2 (or earlier builds) to the released version of Windows 2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of the AdminSDHolder Active Directory object. This object is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups.

Every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:

CN=AdminSDHolder,CN=System,DC= ,DC=

Replace "DC= ,DC= " in this path with the distinguished name (DN) of your domain.

If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

NOTE: Using the following procedure is not required if you are upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.



MORE INFORMATION
To correct this situation, use this procedure on one domain controller per domain:  Install the Windows 2000 Support tools from the Windows 2000 Professional or Server CD-ROM. These tools include a utility named Dsacls.exe, which you can use to view, modify, or remove access control entries on objects in Active Directory. Create a batch file with the following text, replacing "DC= ,DC= " with the distinguished name (DN) of your domain):

dsacls "cn=adminsdholder,cn=system,dc= ,dc= " /G "\Everyone:CA;Change Password"

dsacls "cn=adminsdholder,cn=system,dc= ,dc= " /G "\Pre-Windows 2000 Compatible Access:RP;Remote Access Information"

dsacls "cn=adminsdholder,cn=system,dc= ,dc= " /G "\Pre-Windows 2000 Compatible Access:RP;General Information"

dsacls "cn=adminsdholder,cn=system,dc= ,dc= " /G "\Pre-Windows 2000 Compatible Access:RP;Group Membership"

dsacls "cn=adminsdholder,cn=system,dc= ,dc= " /G "\Pre-Windows 2000 Compatible Access:RP;Logon Information"

dsacls "cn=adminsdholder,cn=system,dc= ,dc= " /G "\Pre-Windows 2000 Compatible Access:RP;Account Restrictions"

 Run the batch file on the domain controller. It adds the specified Access Control entries (ACEs) for the Everyone and Pre-Windows 2000 Compatible Access groups.  At a command prompt, type dsacls cn=adminsdholder,cn=system,dc= ,dc=, replacing "DC= ,DC= " with the distinguished name (DN) of your domain). Compare it to the following output: Access list: {This object is protected from inheriting permissions from the parent} Effective Permissions on this object are: Allow NT AUTHORITY\Authenticated Users           SPECIAL ACCESS                                                  READ PERMISSONS                                                  LIST CONTENTS                                                  READ PROPERTY                                                  LIST OBJECT Allow BUILTIN\Administrators                      SPECIAL ACCESS                                                  DELETE                                                  READ PERMISSONS                                                  WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow IFRPILOT\Enterprise Admins                 SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow FAA\Domain Admins                          SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\SYSTEM                        FULL CONTROL Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information READ PROPERTY Allow Everyone                                   Change Password 

Keywords: kbenv kbinfo KB232199

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.