ZEDA.nl

ZEDA.nl

Tips & Tweaks for Windows

User Rating:  / 1
PoorBest 

Protected groups explained

While configuring delegation I stumpled upon some strange behaviour. I used the delegation wizard to allow members of a group of helpdesk users to unlock accounts, which worked fine.

After a while it was noticed that some accounts couldn't be unlocked as planned, because the active directory object permissions were not right. Strange, I must have overlooked something, so I changed the permissions by hand.

The day after, I noticed some incorrect object permissions of accounts of which I was certain that I set them right. Other accounts in the same OU were still untouched. I thought this was rather strange.

After a long search on the internet - just before the men in white jackets would pick me up - I found a knowledgebase article stating that this behaviour is by design. Microsoft build in security measures that prevent changeing the permissions on certain AD user objects. Well, you can change them alright, but the will be reset to the default values every hour.

The effect explaned

Once an hour, a process starts that examines the ACL's on certain build-in groups and their members. If it sees permissions that are changed, it resets them to the original values.

This effect applies to these groups:

Account Operators
Administrator
Administrators
Backup Operators
Cert Publishers
Domain Admins
Domain Controllers
Enterprise Admins
Krbtgt
Print Operators
Read-only Domain Controllers (windows 2008R2)
Replicator
Schema Admins
Server Operators

To be more precise, the permissions are reset to match the permissions on AD container Domain\System\AdminSDHolder.

Experience this yourself

You can test this behaviour by adding a test user account to one of the protected groups and change the permissions on the userobject. You will notice the reset of permissions after a while.

This post applies to: Windows 2003, Windows 2008, Windows 2012.

ZEDA.nl

Tips & Tweaks for Windows

Most read:

Ad:

Tools:

EU e-Privacy Directive

This site uses cookies for analytics, advertising and functional purposes. Please accept or decline the use of coockies on this site.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.