I have been seeing an increase in reports of delegated permissions magically disappearing in AD environments. The symptom is usually seen repeatedly every hour. For example, if you delegate “reset password” permission to “HD-Group” and HD-Group contains UserJoe and UserJane, you will notice that both of them are able to perform the delegated task for about 1 hour exactly. After that, the permission is gone. When you examine your delegation, you will see that it has “disappeared”.
The following is usually the common denominator of the environment where this is manifested:
- Windows 2000 AD - the DCs have recently been updated to SP4
- Windows 2000 AD – The hotfix released in KB327825 has recently been applied to one or more DCs
- Windows 2000 AD – has just been recently upgraded to Windows 2003 AD.
The “mystery” is due to the changes in the functionality (algorithm) of the thread of the AdminSDHolder object present in Windows AD.
Although there are several online documentations of this behavior, most with suggested recommendations for a “fix”, the question still crops up every now and then. Since I had already written one such documentation for my team’s internal consumption, and since I find myself re-writing the same answers ever so frequently, I have decided to blog my documentation and just simply provide references to it in the future. I tried to break this down as plainly as possible, so it’s a lengthy piece. But, if you get through it, you will probably never have to ask “what is AdminSDHolder?” again.
Briefly explained, a PDCE in an AD environment runs a thread (process) every 1 hour to check the Access Control List (ACL) on a number of “protected” groups and any member contained in that group. The PDCE then compares the ACL against the ACL on the AdminSDHolder object (CN=AdminSDHolder,CN=System,DC=Domain,DC=Com). IF this process finds ANY difference, it resets the ACL on the affected Group or User to MATCH THE ACL ON THE AdminSDHolder object.
That, ladies and gentlemen, is why permissions “disappear”.
So, why the recent increase in the reports? Well, in a pre-SP4, KB327825-less Windows 2000 AD, the number of these “protected” groups is very small. Here they are:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
You will agree that those groups are REALLY special, and your helpdesk people don’t typically belong in there, and you typically don’t delegate anything to members of these groups because they are almost “god” already. This is why, even though the AdminSDHolder cleanup exercise does its thing every hour even in a Windows 2000 AD environment, you hardly notice anything because permissions don’t typically “disappear”.
OK, now here’s the problem. In a Windows 2003 AD, Windows 2000 SP4 AD, or Windows 2000 KB327835-patched AD environment, the number of “protected” group is increased. Here they are:
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers
In addition, the Administrator account (on the DC) is also considered “protected”.
If you take a look at this list, and consider what happens every 1 hour, and spend a few minutes thinking about the type of people or groups that are normally added to most of the groups listed above, then you will begin to understand WHY PERMISSIONS DISAPPEAR.
In brief - If a person or a group belongs to any of those groups listed above, ANY permission you delegate to them will be removed every 1 hour.
There are ways to “fix” this, but, considering the length of this article, I will reserve that discussion for PART II. Catch your breath.