After raising the forest functional level to Microsoft Windows Server 2003, you create a new account that you add to an administrative or operator group, like Domain Admins, causing events like the following to logged every 60 minutes in the Security event log of the PDC (Primary Domain Controller) emulator:
Event Type: Success Audit Event Source: Security Event Category: Account Management Event ID: 684 Date: MM/DD/YYYY Time: HH:MM:SS User: NT AUTHORITY\ANONYMOUS LOGON Computer: <ComputerName> Description: Set ACLs of members in administrators groups: Target Account Name: <New Account You Created> Target Domain: DC=<DomainName>,DC=<com> Target Account ID: <DomainName>\<New Account You Created> Caller User Name: <ComputerName$> Caller Domain: <DomainName> Caller Logon ID: (0x0,0x3E7) Privileges: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.The AdminSDHolder object in Active Directory updates security every 60 minutes by comparing the security descriptor of the AdminSDHolder object to the new administrative account. After raising the forest functional level, access control entries are reordered for new or modified accounts, causing a mismatch with the security descriptor of the AdminSDHolder object since the compare is performed as a binary large object instead of ACE ( Access Control Entry) against ACE.
For more information about the scope and the operation of the AdminSDHolder object, see
817433 Delegated permissions are not available and inheritance is automatically disabled