Re: adminDSholder being over zealous!

From: Rabbit (rabbit@the.hutch)
Date: 01/05/03 

From: "Rabbit" <rabbit@the.hutch>
Date: Sun, 5 Jan 2003 08:47:45 -0000

Thanks for that - that was my thought and I will verify it again. However,
the test accounts are new accounts with no AdminCount
set (checked with RepAdmin). They get secured by adminSDHolder (I'll spell
it right this time!) on the first run after the account is created and added
to one of the problem groups. The only group that they are a member of (or
ever have been a member of) is Domain Users.

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:emWwYhCtCHA.1628@TK2MSFTNGP10...
> Try clearing the AdminCount property of the account in question that you
> don't want adminSDHolder overwriting.
>
> --
> Joe Richards
> www.joeware.net
> ---
>
> "Rabbit" <rabbit@the.hutch> wrote in message
> news:thBR9.1211$Gn6.18605@newsfep4-gui.server.ntli.net...
> > Have just come across a problem with the adminDSholder process which is
> > causing me some grief!
> >
> > On our production domain, if I create a new user (or copy an existing
one)
> > and add it to either the Server Operators or Print Operators builtin
> domain
> > group, the account becomes secured by adminDSholder (I have verified
this
> to
> > be case by modifying the permission set on adminDSholder and seeing it
> then
> > propogate to the test accounts), along with other higher-level admin
> > accounts.
> >
> > According to the (sparse) documentation I can find on this,
adminDSholder
> > only secures Administrators, Domain Administrators, Enterprise
> > Administrators and Schema Admins. I've tested this on a freshly-built
> test
> > domain and the securing of Server Operators and Print Operators doesn't
> > occur.
> >
> > This is a big headache for us as we run a custom process to secure
> 'medium'
> > level admin accounts with our own ACLs - this is now being overwritten
by
> > adminDSholder every hour.
> >
> > Any ideas on why this is occuring and how we can fix it...?
> >
> >
>
>

Relevant Pages

  • Re: adminDSholder being over zealous!
    ... don't want adminSDHolder overwriting. ... the account becomes secured by adminDSholder (I have verified this ... > propogate to the test accounts), ... > domain and the securing of Server Operators and Print Operators doesn't ...
    (microsoft.public.win2000.security)
  • adminDSholder being over zealous!
    ... Have just come across a problem with the adminDSholder process which is ... and add it to either the Server Operators or Print Operators builtin domain ... propogate to the test accounts), ...
    (microsoft.public.win2000.security)
  • Re: Remove GP after a number of mistakes?
    ... is more than one way to access most of the control panel applets. ... of your GPO's and there's a summary tab which will create an HTML ... Play around with GPO's on your server and create some test accounts to ...
    (microsoft.public.windows.group_policy)
  • Re: adminDSholder being over zealous!
    ... get a dump of one of the user accounts with a problem with my ... >>> be case by modifying the permission set on adminDSholder and seeing it ... >>> domain and the securing of Server Operators and Print Operators ...
    (microsoft.public.win2000.security)
  • Re: Sending email to Hotmail accounts
    ... If you've selected DNS, ... Les Connor [SBS Community Member - SBS MVP] ... I recieve email ok on all the test accounts just fine from all accounts ...
    (microsoft.public.windows.server.sbs)