How to Overcome Windows Protected Groups Permissions Problems

Thursday, December 20, 2007

Windows Active Directory protects certain built-in groups from ACL modifications. The purpose of this is to prevent these groups, and their members, from becoming inaccessible by applying restrictive permissions to them. For example, an administrator my accidentally (or maliciously) assign Deny All permissions to the Domain Admins group. Doing so will prevent the Domain Admins group members from managing the domain.

To fix this condition, the AdminSDHolder process reapplies default ACL permissions to all protected groups. This background occurs roughly once per hour. A side affect of this is that it removes the permissions inheritance attribute from all AD objects that are members of these protect groups. Membership is transitive, meaning that a user may be a member of a group that is a member of a protected group and will be affected by this process. A common side effect of this behavior is that affected users cannot change properties of their user object in AD or reset their own passwords using ADUC.

As a resolution you can modify the ACL permissions on the AdminSDHolder container in the System container of the domain. The ACL permissions applied to the AdminSDHolder container act as the "template" that is applied to all Windows Protected Groups.

The protected groups in Windows 2000 are:

  • Enterprise Administrators
  • Schema Administrators
  • Domain Administrators
  • Administrators

The protected groups in Windows Server 2003 and in Windows 2000 after you apply KB327825 or Service Pack 4 are:

  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Administrators
  • Schema Administrators
  • Enterprise Administrators
  • Cert Publishers

In addition, the following users are also considered protected:

  • Administrator
  • Krbtgt
The following steps explain how to modify the permissions on this container to allow members of these groups to modify their own attributes and reset their passwords using ADUC.
  • Run Active Directory Users and Computers (ADUC) with Domain Admin rights

  • View advanced features by selecting Advanced Features from the View menu

  • Select the System container in the selected domain

  • Right-click the AdminSDHolder container and select Properties

  • Click the Security tab and the Advanced button

  • Under Permission Entries select SELF and click Edit

  • Assign SELF Full Control permissions. Click OK.

  • Click OK to close the Advanced Security Settings for AdminSDHolder window

  • Click OK to close the AdminSDHolder Properties window

The new settings will propagate to all members of the Windows Protected Groups the next time the AdminSDHolder background process runs (about an hour).