When you add user to one of the protected groups, like ‘Account Operators’, ‘Administrators’, ‘Backup Operators’, ‘Domain Admins’, ‘Domain Controllers’, ‘Enterprise Admins’, ‘Print Operators’, ‘Read-only Domain Controllers’, ‘Replicator’, ‘Schema Admins’ or ‘Server Operators’, it becomes protected too.
User account object’s attribute adminCount is set to ‘1’ and access rights become that of the AdminSDHolder container (CN=AdminSDHolder,CN=System,DC=domain,DC=com).
By default, access rights inheritance for AdminSDHolder is disabled. And so it is for protected user objects.
When you remove user from protected group, adminCount attribute is not removed and its value is not changed. Also, permissions inheritance for the object is not enabled.
To remove adminCount attribute and enable access rights inheritance you can use this module’s functions: Get-sthAdminSDHolderProtectedUserAccount and Remove-sthAdminSDHolderUserAccountProtection.
Also, you can exclude ‘Account Operators’, ‘Server Operators’, ‘Print Operators’ or ‘Backup Operators’ groups from protection (and include again) by adjusting dsHeuristics attribute of ‘Directory Service’ container (CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com).
You can do this using functions: Get-sthAdminSDHolderGroup, Disable-sthAdminSDHolderGroupProtection, Enable-sthAdminSDHolderGroupProtection.
Module contains following functions:
Get-sthAdminSDHolderProtectedUserAccount – Function gets Active Directory user accounts, protected by AdminSDHolder. It returns Name, SamAccountName, UserPrincipalName, whether account is enabled, adminCount attribute value, whether access rights inheritance is enabled and list of protected groups the user is member of.
Remove-sthAdminSDHolderUserAccountProtection – Function removes adminCount attribute and enables access rules inheritance for the user object, that no longer belongs to groups, protected by AdminSDHolder container.
Get-sthAdminSDHolderGroup – Function gets the Active Directory groups, protected by AdminSDHolder container. It returns dsHeuristics attribute value, protected groups, and also groups, excluded from protection, if any.
Disable-sthAdminSDHolderGroupProtection – Function disables protection by AdminSDHolder container for Account Operators, Server Operators, Print Operators or Backup Operators groups.
Enable-sthAdminSDHolderGroupProtection – Function enables protection by AdminSDHolder container for Account Operators, Server Operators, Print Operators or Backup Operators groups.
You can install sthAdminSDHolder module from PowerShell Gallery:
Install-Module sthAdminSDHolder
Also, you can find it on GitHub:
https://github.com/sethvs/sthAdminSDHolder
How to use it?
Get-sthAdminSDHolderProtectedUserAccount
Example 1.
The command returns information about user accounts, protected by AdminSDHolder container. Output includes disabled user accounts.
Get-sthAdminSDHolderProtectedUserAccount
Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- admin admin admin@domain.com True 1 False {Administrators, Domain Admins, Enterprise Admins, Schema Admins} user user user@domain.com True 1 False {Account Operators} disableduser disableduser disableduser@domain.com False 1 False {Print Operators}
Example 2.
The command returns information about user accounts, protected by AdminSDHolder container. Output includes only enabled user accounts.
Get-sthAdminSDHolderProtectedUserAccount -EnabledOnly
Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- admin admin admin@domain.com True 1 False {Administrators, Domain Admins, Enterprise Admins, Schema Admins} user user user@domain.com True 1 False {Account Operators}
Example 3.
The command returns information about user accounts, protected by AdminSDHolder container, using ambiguous name resolution.
Get-sthAdminSDHolderProtectedUserAccount -ANR u
Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- user user user@domain.com True 1 False {Account Operators}
Example 4.
The command returns information about user account, protected by AdminSDHolder container, using SamAccountName user object attribute.
Get-sthAdminSDHolderProtectedUserAccount -SamAccountName user
Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- user user user@domain.com True 1 False {Account Operators}
Example 5.
The command returns information about user account, protected by AdminSDHolder container, using UserPrincipalName user object attribute.
Get-sthAdminSDHolderProtectedUserAccount -UserPrincipalName user@domain.com
Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- user user user@domain.com True 1 False {Account Operators}
Remove-sthAdminSDHolderUserAccountProtection
Example 1.
The command removes adminCount attribute and enables access rules inheritance for the user account. The account was specified by using its SamAccountName.
Remove-sthAdminSDHolderUserAccountProtection -SamAccountName user -Remove -YesRemove
Removing adminCount attribute and enabling access rules inheritance. Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- user user user@domain.com True 1 False {} adminCount attribute removed. Access rules inheritance enabled.
Example 2.
The command removes adminCount attribute and enables access rules inheritance for the user account. The account was specified by using its UserPrincipalName.
Remove-sthAdminSDHolderUserAccountProtection -UserPrincipalName user@domain.com -Remove -YesRemove
Removing adminCount attribute and enabling access rules inheritance. Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- user user user@domain.com True 1 False {} adminCount attribute removed. Access rules inheritance enabled.
Example 3.
The command does not make changes to user account, because it still is a member of a protected group.
Remove-sthAdminSDHolderUserAccountProtection -SamAccountName username -Remove -YesRemove
Account is a member of AdminSDHolder protected groups. Name SamAccountName UserPrincipalName Enabled AdminCountAttribute InheritanceEnabled AdminSDHolderGroups ---- -------------- ----------------- ------- ------------------- ------------------ ------------------- user user user@domain.com True 1 False {Account Operators} No changes were made.
Get-sthAdminSDHolderGroup
Example 1.
The command gets the value of dsHeuristics attribute and a list of groups, protected by AdminSDHolder container.
Get-sthAdminSDHolderGroup
dsHeuristics: null Protected Groups: Name SID distinguishedName ---- --- ----------------- Account Operators S-1-5-32-548 CN=Account Operators,CN=Builtin,DC=domain,DC=com Administrators S-1-5-32-544 CN=Administrators,CN=Builtin,DC=domain,DC=com Backup Operators S-1-5-32-551 CN=Backup Operators,CN=Builtin,DC=domain,DC=com Domain Admins S-1-5-21-1234567890-1234567890-1234567890-512 CN=Domain Admins,CN=Users,DC=domain,DC=com Domain Controllers S-1-5-21-1234567890-1234567890-1234567890-516 CN=Domain Controllers,CN=Users,DC=domain,DC=com Enterprise Admins S-1-5-21-1234567890-1234567890-1234567890-519 CN=Enterprise Admins,CN=Users,DC=domain,DC=com Print Operators S-1-5-32-550 CN=Print Operators,CN=Builtin,DC=domain,DC=com Read-only Domain Controllers S-1-5-21-1234567890-1234567890-1234567890-521 CN=Read-only Domain Controllers,CN=Users,DC=domain,DC=com Replicator S-1-5-32-552 CN=Replicator,CN=Builtin,DC=domain,DC=com Schema Admins S-1-5-21-1234567890-1234567890-1234567890-518 CN=Schema Admins,CN=Users,DC=domain,DC=com Server Operators S-1-5-32-549 CN=Server Operators,CN=Builtin,DC=domain,DC=com
Example 2.
The command gets the value of dsHeuristics attribute and a list of groups protected by AdminSDHolder container. Also function returns the list of groups, excluded from protection by virtue of 16’th character’s value of dsHeuristics attribute.
Get-sthAdminSDHolderGroup
dsHeuristics: 000000000100000f Protected Groups: Name SID distinguishedName ---- --- ----------------- Administrators S-1-5-32-544 CN=Administrators,CN=Builtin,DC=domain,DC=com Domain Admins S-1-5-21-1234567890-1234567890-1234567890-512 CN=Domain Admins,CN=Users,DC=domain,DC=com Domain Controllers S-1-5-21-1234567890-1234567890-1234567890-516 CN=Domain Controllers,CN=Users,DC=domain,DC=com Enterprise Admins S-1-5-21-1234567890-1234567890-1234567890-519 CN=Enterprise Admins,CN=Users,DC=domain,DC=com Read-only Domain Controllers S-1-5-21-1234567890-1234567890-1234567890-521 CN=Read-only Domain Controllers,CN=Users,DC=domain,DC=com Replicator S-1-5-32-552 CN=Replicator,CN=Builtin,DC=domain,DC=com Schema Admins S-1-5-21-1234567890-1234567890-1234567890-518 CN=Schema Admins,CN=Users,DC=domain,DC=com Excluded Groups: Name SID distinguishedName ---- --- ----------------- Account Operators S-1-5-32-548 CN=Account Operators,CN=Builtin,DC=domain,DC=com Server Operators S-1-5-32-549 CN=Server Operators,CN=Builtin,DC=domain,DC=com Print Operators S-1-5-32-550 CN=Print Operators,CN=Builtin,DC=domain,DC=com Backup Operators S-1-5-32-551 CN=Backup Operators,CN=Builtin,DC=domain,DC=com
Disable-sthAdminSDHolderGroupProtection
Example 1.
The command disables protection by AdminSDHolder container for Account Operators group.
Disable-sthAdminSDHolderGroupProtection -AccountOperators -Disable -YesDisable
Current dsHeuristics value: null DISABLED: Account Operators Resulting dsHeuristics value: 0000000001000001
Example 2
The command disables protection by AdminSDHolder container for Account Operators, Server Operators, Print Operators and Backup Operators groups.
Disable-sthAdminSDHolderGroupProtection -AccountOperators -ServerOperators -PrintOperators -BackupOperators -Disable -YesDisable
Current dsHeuristics value: null DISABLED: Account Operators DISABLED: Server Operators DISABLED: Print Operators DISABLED: Backup Operators Resulting dsHeuristics value: 000000000100000f
Enable-sthAdminSDHolderGroupProtection
Example 1.
The command enables protection by AdminSDHolder container for Account Operators group.
Enable-sthAdminSDHolderGroupProtection -AccountOperators -Enable -YesEnable
Current dsHeuristics value: 000000000100000f ENABLED: Account Operators Resulting dsHeuristics value: 000000000100000e
Example 2.
The command enables protection by AdminSDHolder container for Account Operators, Server Operators, Print Operators and Backup Operators groups.
Enable-sthAdminSDHolderGroupProtection -AccountOperators -ServerOperators -PrintOperators -BackupOperators -Enable -YesEnable
Current dsHeuristics value: 000000000100000f ENABLED: Account Operators ENABLED: Server Operators ENABLED: Print Operators ENABLED: Backup Operators Resulting dsHeuristics value: 0000000001000000