I have a task to remove adminCount and restore permisions inheritance for all users that are no longer member of protected groups. However there are few groups that were created by our organization and have adminCount along with permisions inheritance blocked but those groups aren't nested within any of the default protected group. My question is - is it possible to just create manually group in AD and set it to be protected by AdminSDHolder without adding it to any other protected groups?
Asked
Active
Viewed 899 times
2 Answers
1
The fact that adminCount is set (and permission inheritance blocked) on a user or group object only means that the object was a member of a protected group at some point in the past. It does not necessarily mean that the object is protected now.
You could of course set adminCount and/or block inheritance manually for an object, but that would serve little purpose. It is more likely that the object(s) you are looking at used to be a member of one or more protected groups, even if they no longer are.
In either case, the resolution is the same: re-enable inheritance and (optionally) reset adminCount. If the object(s) are in fact members of a protected group then these changes will be undone the next time SDPROP runs, and if not, they won't.
There is no mechanism to add other groups to the protected groups list. Only members of groups that are designated as protected by Microsoft are affected by SDPROP. (There is a mechanism to remove protection from a subset of those groups, described in KB817433.)
Harry Johnston
- 6,005
- 4
- 35
- 52
