adminSDHolder in Active Directory

Last week, we decided we wanted a select handful of Helpdesk Leads to be able to reset passwords on other helpdesk and support role associate’s accounts.  For the longest time, the helpdesk associates were unable to reset passwords due to rights, but because this particular directory was old, we never looked into why.  Once we started looking, we did not find any inheritance blocking, any special delegation, or any other reason why they could not reset particular user’s passwords.  Then we found one of those commonly forgotten items in Active Directory.  Here comes the crash course on adminSDHolder in Active Directory.

AdminSDHolder is a container object under the system OU in AD.  This container object has an ACL on it that is copied to protected group members every 60 minutes.  Protected groups are:

  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Administrators
  • Schema Administrators
  • Enterprise Administrators
  • Cert Publishers
  • So, every 60 minutes, the ACL from adminSDHolder OU is copied to any user account that is a direct or transitive member of any of these groups.  In addition to the ACls being copied, permissions inheritance is deselected from the account.

    This concept is designed by Micro$oft to enhance security on important accounts.  You wouldn’t want any helpdesk user with account operator rights to be able to reset the password on your enterprise admin account and then be able to use it for any reason they feel necessary (wish we didn’t give them a 2 week notice!)

    What we did to fit our needs was create a “Helpdesk Leads” group that only Domain Admins have rights to.  Then, we gave “reset password” rights to the adminSDHolder object for this group.  That may sound simple, but there is a catch.  Since adminSDHolder object is technically a container object, the “reset password” right cannot be assigned through a GUI.  The DSACLS command must be used (available in support tools).  here is the syntax:

    dsacls cn=adminsdholder,cn=system,dc=yourdomain,dc=com /G “Helpdesk Leads:CA;Reset Password”

    After 60 minutes, our Helpdesk Leads users were able to reset passwords for protected accounts.