Modify the AdminSDHolder container

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This procedure provides steps for modifying the AdminSDHolder container object, which is a built-in container object for each Active Directory domain that has a specific access control list (ACL) set on it. You can use the Dsacls tool to help prevent administrators from making unauthorized changes to the membership of administrative groups in an Active Directory domain.

Important

This procedure will not completely prevent unauthorized changes to membership of administrative groups in an Active Directory domain. It is always recommended that you have auditing in place that alerts you when any changes are made to the membership of administrative groups in your Active Directory domain. For more information, see "Additional references."

To modify the AdminSDHolder container

  1. Download and install the Windows Server 2003 Service Pack 1 (SP1) Support Tools.

    Dsacls.exe is available as part of the Windows Support Tools. For more information, see article 89277 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=44321).

  2. In the domain that you want to modify, create a new domain local group, for example, AdminDenyGrp.

    For more information about creating a new domain local group, see Create a new group.

  3. For each administrator that you want to help prevent from making changes to administrative groups in the domain, add the administrator's name to the group that you created.

    For more information about adding a member to a group, see Add a member to a group.

  4. Open a command prompt with your administrative credentials.

  5. At the command prompt, type the following, and then press ENTER:

    dsacls <AdmSDHolderDN> /D <DomName>\<AdminDenyGrp>:WP;"<Attribute>"
    
  6. Apply the parameters in the following table as appropriate for your deployment.

Parameter Description

<AdmSDHolderDN>

Specifies the distinguished name of the AdminSDHolder object for the domain. For example, where the domain is CORPHQ, as in corphq.contoso.com, the distinguished name is the following:

CN=AdminSDHolder,CN=System,DC=corphq,C=contoso,DC=com

<DomName>

Specifies the name of the trusting domain. For example, where the full distinguished name is corphq.contoso.com, the domain name is specified as "CORPHQ" here.

<AdminDenyGrp>

Specifies the actual name of the group that you created in step 2 in this procedure.

<Attribute>

Specifies the attribute on the AdminSDHolder container that will be modified when the command is run. For this procedure, specify the value as "member" (including the quotation marks). This is the name of the attribute that Active Directory uses to store the membership data that is associated with a group.

When you run this command, it modifies the AdminSDHolder container for the domain that you specified to deny the specified group the ability to write the member attribute for group objects.

For example, the following command line uses actual values that might appear in the dsacls command in which /D indicates that you are adding a DENY access control entry (ACE), and WP indicates the Write property for the member attribute.

dsacls CN=AdminSDHolder,CN=System,DC=corphq,C=contoso,DC=com /D CORPHQ\AdminDenyGrp:WP;"member"

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following, and then press ENTER:

dsacls /?

Additional considerations

Important

Before you add access control permissions on Active Directory objects or properties, see "Additional references."

  • To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To complete this procedure, you must have the Dsacls command-line tool installed.

  • You can use this procedure to put other restrictions in place for protected objects. For example, the following command puts DENY-Delete & DENY-Modify Permissions ACEs on protected objects for the specified user or group object (ServiceAccount):

    DSACLS DNofAdminSDHolderContainer /D CONTOSO\ServiceAccount:SDWD
    

    The following command puts a DENY-Reset Password ACE on protected objects for the specified user or group object (ServiceAccount):

    DSACLS DNofAdminSDHolderContainer /D CONTOSO\ServiceAccount:CA;"Reset Password"
    

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

Additional references