Changing the Security Descriptor on AdminSDHolder
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
The security descriptor on AdminSDHolder serves two purposes. First, it controls access to the AdminSDHolder object itself. Second, it acts as the master security descriptor that is periodically applied to the service administrator accounts and their members to ensure that they remain protected.
Requirements
Credentials: Domain Admins
Tools: Active Directory Users and Computers
To change the security descriptor on AdminSDHolder
Log on with Domain Admins credentials, and then open Active Directory Users and Computers.
On the View menu, click Advanced Features.
In the console tree, click the System container.
In the details pane, right-click AdminSDHolder, and then click Properties.
On the Security tab, modify the security descriptor by changing the settings as specified in Table 39.