• Josh

Step 1 : Cleaning up Protected Accounts

Updated: Apr 23

A clean Directory is a happy Directory. As we begin cleaning up Microsoft Active Directory (AD) the first place we want to start is with our protected accounts. These accounts are or were a member of protected groups:


Account Operators

Administrators

Backup Operators

Domain Admins

Domain Controllers

Enterprise Admins

Enterprise Key Admins

Key Admins

Print Operators

Read-only Domain Controllers

Schema Admins

Server Operators


These groups are protected by the AdminSDHolder process and sets the attribute "admincount" to 1 if it is in a protected group. Now you may be asking yourself, "How does this affect me?"


Have you ever had one of your ServiceDesk admins call and say that they cannot reset a password for a regular account? After about a week or so of troubleshooting, and having already reset the account, you find this blog. Most likely the cause is the admincount attribute. If the account was ever a member of a protected account, the admincount attribute is set to 1. To reset the password or unlock the account you must have a Domain Admin level account.


If it were me, my next question would be, "How do I clean this up?"


I'm lazy, so I prefer a scheduled task with a script assigned and I run it once a week. However, you own your environment and you know what works for you. I am, however, going to give you the tools to clean it up. I love PowerShell so that is what I am going to use.


Let's get all accounts with the admincount attribute set to 1:


get-aduser -filter{admincount-eq 1} -properties samaccountname,admincount


Now lets clear the admincount attribute for all accounts that have it set to 1 .... Say what!? Yes, this is the easiest and most effective method of getting rid of that pesky attribute. Also, the AdminSDHolder process runs on an interval to reset the admincount attribute to 1 for any accounts in a protected group. I know you may be worried right now but... don't be... within an hour those accounts in the protected groups will have the attribute repopulated. Are you sure? Yes and No. There is a registry key on a domain controller that holds the frequency setting for the AdminSDHolder process in case it was changed from the default of 60 minutes and it is...


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]

"AdminSDProtectFrequency"=<your value>"


Now we are sure it is going to run on a certain schedule. With our worries out of the way lets change those accounts.


get-aduser -filter{admincount-eq 1} -properties samaccountname,admincount | set-aduser -clear admincount


Now we wait.


Things are cleaner and we can move on to the next step of Cleaning up Active Directory..


Josh


 

PO Box 1157
Florence, MS 39073

©2020 by Arrow Head Consulting LLC.
View our privacy policy here