Why do Active Directory Permissions Revert After I Set Them?

Why do Active Directory Permissions Revert After I Set Them?

Active Directory has a feature that keeps privileged users like Domain Admins from locking themselves out of Active Directory by incorrectly setting permissions. The AdminSDHolder object and its Active Directory worker code is used by Domain Controllers to protect high-privilege accounts from inadvertent modification and to make sure high-privilege permissions are not stripped away. At its simplest, this process ensures that privileged accounts have the permissions they need to do their work.

If you are using a tool like PeopleUpdate to update accounts, you can only update members of the Domain Admins group if you set the proxy service account to an account that is a member of Domain Admins. We don’t recommend using this setting, though, as it’s a security risk on a very powerful account.  Instead, use another tool like Active Directory Users and Computers (ADUC) to modify the few members of Domain Admins.

Resources

To find out more you can search our blog for  "AdminSDHolder". Refer to these articles for a better understanding of how to manage permissions for privileged Active Directory objects.