Why do Active Directory Permissions Revert After I Set Them?
Active Directory has a feature that keeps privileged users like Domain Admins from locking themselves out of Active Directory by incorrectly setting permissions. The AdminSDHolder object and its Active Directory worker code is used by Domain Controllers to protect high-privilege accounts from inadvertent modification and to make sure high-privilege permissions are not stripped away. At its simplest, this process ensures that privileged accounts have the permissions they need to do their work.
If you are using a tool like PeopleUpdate to update accounts, you can only update members of the Domain Admins group if you set the proxy service account to an account that is a member of Domain Admins. We don’t recommend using this setting, though, as it’s a security risk on a very powerful account. Instead, use another tool like Active Directory Users and Computers (ADUC) to modify the few members of Domain Admins.
Resources
To find out more you can search our blog for "AdminSDHolder". Refer to these articles for a better understanding of how to manage permissions for privileged Active Directory objects.
Related Articles
Why everyone has permissions to change passwords in Active Directory
The everyone group is set on all new user objects by default with the ability to change user account passwords (given the password is known). This isn’t set through inheritance, but rather from default objectclass=user permissions set through ...
Check effective permissions in Active Directory
Description You can check the effective permissions in Active Directory to determine the privileges that one account has on another account. Notes Web Active Directory products typically use a service account to connect to Active Directory and ...
Why do I get a General Access Denied Error in my Application?
You might see an error similar to the following in the Application event log or error log file for your local application installation. “Exception occurred in Active Directory: General access denied error” This usually indicates a permissions error ...
Active Directory Firewall Ports
You might want to set up a Web Active Directory solution in your DMZ and have it work with an Active Directory server behind the firewall on your internal network. You need to open up the appropriate ports to allow this communication from your DMZ to ...
How is the communication channel from Web Active Directory products to Active Directory secured?
Web Active Directory products often talk to Active Directory. These communications are secured using a programatically-created secure, signed and sealed channel. This means that all requests to and from Web Active Directory applications and Active ...