PowerShell : How do I look up AdminCount for AdminSDHolder and SDPROP ?


What is the AdminSDHolder and SDPROP ?

Ever wonder what controls the native permissions on the security principal such as Domain Admins and Administrators in Active Directory ? What if an owner changes the permission these entities have ? The permissions do come back. They must. John Policelli had a great article on the subject of AdminSDHolder and SDPROP in this month’s technet article. The magic is driven by the AdminSDHolder which is an object that resides under the System container of Domain NC. This object has a unique ACL which is used to control the permissions of security principals that are members of built-in AD groups, also known as “protected groups”. The SDPROP (Security Descriptor Propagator) is the process that runs in the background and complies all the permissions according to the AdminSDHolder.

Every hour, a background process called SDPROP runs on the domain controller that holds the PDC Emulator operations master role. It compares the ACL on all security principals (users, groups and computer accounts) that belong to protected groups against the ACL on the AdminSDHolder object. If the ACL lists aren’t the same, the ACL on the security principal is overwritten with the ACL from the Admin–SDHolder object. In addition, inheritance is disabled on the security principal.

John has done an excellent job on explaining the process and how it can affect you. I would like to show you the one-liners with which you can look-up who is part of that “elite” bunch in your AD with PowerShell (ADWS) on Windows Server 2008 R2 and as well with PowerShell (and Quest) in Windows Server 2003 domain.

For every recipient of this process i.e security principal such as user, group or computer, there is an attribute named “admincount” that gets marked as “1” indicating that this principal via nesting or explicitly is part of a protected group in AD.

On Windows Server 2008 R2 where can you use (ADWS), the simple command to retrieve the user and group objects with admincount set as 1 is this.

Get-ADgroup -LDAPFilter “(admincount=1)” | select name

Get-ADuser -LDAPFilter “(admincount=1)” | select name













In domains that are pre-Windows Server 2008 R2, you can use similar QAD cmdlets.

Get-QADGroup -LDAPFilter “(admincount=1)”

Get-QADuser -LDAPFilter “(admincount=1)”

If you would just like to get the total number of users, you may count it like this.

(Get-QADuser -Ldap “(admincount=1)”).count

Another great read on AdminCount, AdminSDHolder, and SDPROP is right here from Mike B. Smith.

Some discrepencies pointed out by Joe in the technet article. He explains in great detail. http://blog.joeware.net/2009/09/08/1693/

How many DFL and FFL are there now ?


As named “domain modes” in Windows 2000 time, Domain Functional Level and Forest Functional Level (introduced in Windows Server 2003) list has grown with the inception of two new Windows Server 2008 functional levels. While Domain Functional Level limits the OS of the DCs, a raise to the Forest Functional Level (in a multi-domain environment) can only be achieved after all child domains’ DFL have been met. Both Functional Levels do not dictate the type of OS you can run on your member servers. They dictate which OS can run on a DC and introduce new functionality to AD as you move up the ladder. Such as, to be able to take advantage of AD Recycle Bin functionality all your DCs must be running Windows Server 2008 R2 and the FFL must be at 2008 R2.

There are now 6 different types of Domain Functional Levels;

1. Windows 2000 Mixed (supports NT4/2000/2003 DCs)
2. Windows 2000 Native (supports 2000/2003 DCs)
3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs)
5. Windows Server 2008 (supports only 2008 DCs)
6. Windows Server 2008 R2 (supports only 2008 R2 DCs)

And five forest functional levels:

1. Windows 2000 (supports NT4/2000/2003 DCs)
2. Windows 2003 Interim (supports NT4/2003 DCs)
3. Windows Server 2003 (supports only 2003 DCs)
4. Windows Server 2008 (supports only 2008 DCs)
5. Windows Server 2008 R2 (supports only 2008 R2 DCs)

See this for list of features for different Functional Levels.

Free e-book on Virtualization Solutions from Microsoft


You can get a free e-book in PDF format authored by Mitch Tulloch from Microsoft. This book covers Hyper-V, App-V, VDI and SCVMM 2008. Click below to register and download your copy.














Also, in this month’s issue of Technet magazine, there is an article on SCVMM R2 RC by Paul Schnackenburg. Its definitely a good read as it explains much awaited Hyper-V’s virtualization features such as Live/Quick Migration of VMs between hosts, self-service portal, new PowerShell VMM-specific cmdlets and much more.

You can read it here.

Exchange 2010 goes Release Candidate today !


You can get an evaluation copy here.





Scott Schnoll had a great post on how to install the beta, with all the gotchas and a long list of pre-reqs.


As Exchange 2010 will only run on Windows Server 2008 (64bit only), there were some known issues with the beta version with the Windows Server 2008 R2 (mainly newer builds than 7000), due to PowerShell and WinRM stacks being incompatible. That issues is well discussed here and hopefully those issues are now resolved with the RC.


And here is the system requirements list.