JSI Tip 9639. Description and Update of the Active Directory AdminSDHolder Object.

Microsoft Knowledge Base Article 232199 contains the following summary:

The information in this article applies only to upgrading from Windows 2000 RC2 (or earlier builds) to the released version of Windows 2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of the AdminSDHolder Active Directory object. This object is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups.

Every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:


Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.

If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

NOTE: Using the following procedure is not required if you are upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.