The `adminCount` attribute in Active Directory is set to `1` when an account becomes a member of a "protected" group. These groups include high-privilege groups like:
- Domain Admns
- Enterprise Admins
- Schema Admins
- Administrators
- Account Operators
- Server Operators
- Backup Operators
- Print Operators
This means if you have an application as a user account that though nested groups ends up in one of these groups then you will get the adminCount value set to "1" not "0" that will then fire the AdminSDHolder process to run every 60 minutes.
These protected groups are managed by the AdminSDHolder process, which is responsible for applying special permissions to the objects in these groups to protect them from unintentional changes or attacks.
Overview of the AdminSDHolder Process
1. AdminSDHolder Object
This is a special object in AD from the "System" container that holds a template of the security descriptors that are applied to all protected groups and their members, this means if you have a permission that is required for protected users you will need to add this to that ACL.
2. AdminSDHolder Process
Every 60 minutes, a background process runs on the Primary Domain Controller (PDC) Emulator this then compares the security descriptors of members of the protected groups to the template in the AdminSDHolder object, the the ACL does not match then the permissions are reset to the ACL of AdminSDHolder, you can see this below:
Note : If you do not see the System then you need to ensure you choose View then Advanced Features from your MMC
Issue : Inheritance being disabled
When `adminCount` is set to `1`, the object's ACL (Access Control List) is protected by disabling inheritance, this means that the object will no longer inherit permissions from its parent container
Careful Resetting Inheritance - its pointless
If you manually re-enable inheritance or remove the `adminCount` attribute from the object then the AdminSDHolder process will reset it during its next run, which will occur every 60 minutes.
Monitor in the Event Log
Event ID 4732/4733 : These events will show when a user was added to or removed from a security-enabled global group, including protected groups.
Event ID 4662 : These events log modifications to objects, including changes to the `adminCount` attribute.
Updating the ACL on AdminSDHolder : Backup AdminSDHolder
If you are looking to ammend the ACL of the AdminSDHolder then you must remember that any changes you make to the AdminSDHolder ACL will be inherited by all accounts in protected groups the next time the process runs, if you are looking to ammend this back it up first:
$adminSDHolderACL = Get-ACL "AD:CN=AdminSDHolder,CN=System,DC=bear,DC=local"
$adminSDHolderACL | Export-Clixml -Path "AdminSDHolderACL.xml"
If you have a service account that writes data to objects, this service account will be unable to do this if it is not in this ACL list as it will have no permissions, however ensure you think about adding accounts to this ACL as this will apply to protected accounts in the domain.
Checking for Users in the state
Script : adminCountChecker.ps1
Well that can also make sense, if the data is wrong in your Active Directory this process only runs every 60 minutes, if they no longer qualify for the adminSDHolder role as for example they have been removed from the priviliged group (nested or not) the this "removal" has stopped the adminSDHolder permissions applying, but this does not reset the inhetitance status.