2

I have a Server 2008 R2 machine with Windows Deployment Services installed, which works perfectly well. However after some time (maybe a restart after installing updates) the security permissions applied in Active Directory to allow WDS to work are reset.

The required settings are:

Domain Admins:  Full Control
Enteprise Admins:  Full Control
Account Operators:  Full Control
System:  Full Control
SELF:  Create All Child Objects, Delete All Child Objects, Validated write to DNS host name, Validated write to service principal name, Read Personal Information, Write Personal Information

I've applied these settings from the machine it's self and from the domain controller. I'm not sure why this is happening, there doesn't appear to a problem with any other AD settings being reset. I've read about AdminSDHolder but not sure if this applies in my case as I'm setting the permissions manually - also I've read it's not best practice to change it although admittedly this is the first time I've come across this.

How can I make AD retain these settings?

techraf
  • 4,243
  • 8
  • 29
  • 44
GJKH
  • 123
  • 1
  • 5
  • Is the Computer Account itself a member of any privileged group, like Domain Admins, Enterprise Admins or Server Operators ? – Mathias R. Jessen Feb 05 '15 at 16:22
  • Sorry, I really should have mentioned the server also has Exchange 2010 as mailbox role - `Exchange Servers` `Exchange Trusted Subsystem` `Exchange Install Domain Servers` and `Backup Operators` – GJKH Feb 05 '15 at 16:44

1 Answers1

2

As explained in the TechNet Magazine article "AdminSDHolder, Protected Groups and SDPROP", Active Directory "protects" members of a set of "protected groups".

Every 60 minutes, the Directory Service Agent runs a background job that:

  1. Identifies all "protected" objects. These objects will then have their AdminCount attribute set to a value of 1
  2. For each object that now matches (&(adminCount=1)), it copies the Security Descriptor from the AdminSDHolder container object and "stamps" the protected object with it.

This process is what is referred to as the "Security Descriptor Propagator" or "SDPROP" for short.

Backup Operators is just one of these "Protected Groups", so if a computer account object is a member of Backup Operators, SDPROP will "reset" the SD on said computer account object.

If you want to test this hypothesis without waiting up to 1 hour, break out PowerShell, connect to the RootDSE of any Domain Controller in the domain and call the FixUpInheritance routine (this is what SDPROP does internally anyways), like so:

$RDSE = [ADSI]"LDAP://dc01.my.domain.tld/RootDSE"
$RDSE.Put("FixUpInheritance",1)
$RDSE.SetInfo()

You can either remove the server from the Backup Operators group and then manually unset the adminCount attribute on the object, or you can change the Security Descriptor of the AdminSDHolder object, although I would strongly advise against it if you're not confident in what you are doing

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95