JSI Tip 9747. How do I alter the frequency at which the AdminSDHolder object updates security descriptors?

The AdminSDHolder object updates security descriptors every 60 minutes.

To alter the frequency, use REG.EXE, built into Windows XP, and Windows Server 2003, or REG.EXE from the Windows 2000 Support Tools on the CD-ROM:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D <Number>

Where <Number> has an allowable range from 1 to 120 minutes.

Prior to SP4, the Windows 2000 protected groups were:

• Administrators 
• Domain Admins 
• Enterprise Admins 
• Schema Admins
Windows Server 2003 and Windows 2000 SP4 protects:
• Administrators 
• Account Operators 
• Backup Operators 
• Domain Admins 
• Cert Publishers 
• Enterprise Admins 
• Print Operators 
• Schema Admins 
• Server Operators
NOTE: The Administrator and Krbtgt accounts are always protected.

NOTE: See Best Practices for Delegating Active Directory Administration.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.