Article ID: 232199
Article Last Modified on 2/23/2007
APPLIES TO
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q232199
SUMMARY
The information in this article applies only to upgrading from Windows 2000 RC2 (or earlier builds) to the released version of Windows 2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of the AdminSDHolder Active Directory object. This object is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups.
Every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain
,DC=Com
Replace "DC=MyDomain
,DC=Com
" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.
NOTE: Using the following procedure is not required if you are upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.
MORE INFORMATION
To correct this situation, use this procedure on one domain controller per domain:
- Install the Windows 2000 Support tools from the Windows 2000 Professional or Server CD-ROM. These tools include a utility named Dsacls.exe, which you can use to view, modify, or remove access control entries on objects in Active Directory.
- Create a batch file with the following text, replacing "DC=
MyDomain
,DC=Com
" with the distinguished name (DN) of your domain):dsacls "cn=adminsdholder,cn=system,dc=
mydomain
,dc=com
" /G "\Everyone:CA;Change Password"
dsacls "cn=adminsdholder,cn=system,dc=mydomain
,dc=com
" /G "\Pre-Windows 2000 Compatible Access:RP;Remote Access Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain
,dc=com
" /G "\Pre-Windows 2000 Compatible Access:RP;General Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain
,dc=com
" /G "\Pre-Windows 2000 Compatible Access:RP;Group Membership"
dsacls "cn=adminsdholder,cn=system,dc=mydomain
,dc=com
" /G "\Pre-Windows 2000 Compatible Access:RP;Logon Information"
dsacls "cn=adminsdholder,cn=system,dc=mydomain
,dc=com
" /G "\Pre-Windows 2000 Compatible Access:RP;Account Restrictions" - Run the batch file on the domain controller. It adds the specified Access Control entries (ACEs) for the Everyone and Pre-Windows 2000 Compatible Access groups.
At a command prompt, type dsacls cn=adminsdholder,cn=system,dc=
mydomain
,dc=com
, replacing "DC=MyDomain
,DC=Com
" with the distinguished name (DN) of your domain). Compare it to the following output:Access list: {This object is protected from inheriting permissions from the parent} Effective Permissions on this object are: Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow BUILTIN\Administrators SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow IFRPILOT\Enterprise Admins SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow FAA\Domain Admins SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions READ PROPERTY Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information READ PROPERTY Allow Everyone Change Password
Keywords: kbenv kbinfo KB232199