What is the AdminSDHolder and SDPROP ?
Ever wonder what controls the native permissions on the security principal such as Domain Admins and Administrators in Active Directory ? What if an owner changes the permission these entities have ? The permissions do come back. They must. John Policelli had a great article on the subject of AdminSDHolder and SDPROP in this month’s technet article. The magic is driven by the AdminSDHolder which is an object that resides under the System container of Domain NC. This object has a unique ACL which is used to control the permissions of security principals that are members of built-in AD groups, also known as “protected groups”. The SDPROP (Security Descriptor Propagator) is the process that runs in the background and complies all the permissions according to the AdminSDHolder.
Every hour, a background process called SDPROP runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the ACL lists aren’t the same, the ACL on the security principal is overwritten with the ACL from the Admin–SDHolder object. In addition, inheritance is disabled on the security principal.
John has done an excellent job on explaining the process and how it can affect you. I would like to show you the one-liners with which you can look-up who is part of that “elite” bunch in your AD with PowerShell (ADWS) on Windows Server 2008 R2 and as well with PowerShell (and Quest) in Windows Server 2003 domain.
For every recipient of this process i.e security principal such as user, group or computer, there is an attribute named “admincount” that gets marked as “1” indicating that this principal via nesting or explicitly is part of a protected group in AD.
On Windows Server 2008 R2 where can you use (ADWS), the simple command to retrieve the user and group objects with admincount set as 1 is this.
Get-ADgroup -LDAPFilter “(admincount=1)” | select name
Get-ADuser -LDAPFilter “(admincount=1)” | select name
In domains that are pre-Windows Server 2008 R2, you can use similar QAD cmdlets.
Get-QADGroup -LDAPFilter “(admincount=1)”
Get-QADuser -LDAPFilter “(admincount=1)”
If you would just like to get the total number of users, you may count it like this.
(Get-QADuser -Ldap “(admincount=1)”).count
Another great read on AdminCount, AdminSDHolder, and SDPROP is right here from Mike B. Smith.
Some discrepencies pointed out by Joe in the technet article. He explains in great detail. http://blog.joeware.net/2009/09/08/1693/