Archive for December, 2013

Automatically resuming Windows PowerShell Workflow jobs at logon

How Internet Explorer Enhanced Protected Mode (EPM) is enabled under different configurations

How to Modify Security Inheritance on Active Directory Objects using PowerShell // AdminSDHolder



Get-ADgroup -LDAPFilter “(admincount=1)” | select name,SID

Get-ADuser -LDAPFilter “(admincount=1)” -Properties * | select name, memberOf

More than likely, this is due to a special container called AdminSDHolder. Active Directory protects certain accounts not to inherit delegated permission. This behavior applies to direct and nested members of the following security-groups:


The ability to control groups protected by AdminSDHolder is enabled by modifying the dsHeuristic flag. This is a Unicode string in which each character contains a value for a single forest-wide setting. Character position 16 is interpreted as a hexadecimal value, where the left-most character is position 1.

There’s an easy way to determine which users and groups AdminSDHolder protects in your domain. You can query the adminCount attribute to determine whether an object is protected by the AdminSDHolder object. The following examples use the ADFind.exe tool, which can be downloaded from


Orphaned AdminSDHolder Objects

When a user is removed from a protected group, the adminCount attribute on that user account does not change; the value 1 remains. Furthermore, the status of inheritance is not changed. As a result, the user account no longer receives its ACL from the AdminSDHolder object, but it also doesn’t inherit any permissions from parent objects, provided inheritance has not been enabled on the AdminSDHolder object. The common term for this issue is "orphaned AdminSDHolder objects." There is no automated mechanism to fix inheritance on objects that no longer belong to protected groups; you must deal with orphaned AdminSDHolder objects manually. Microsoft has developed and made available a VB Script that will assist you in re-enabling inheritance on user accounts that were previously members of protected groups. To find the VB Script, go to Delegated permissions are not available and inheritance is automatically disabled.

How can I force AdminSDHolder permissions to be enforced?

for all Versions of AD:

FixUpInheritance rootDSE LDAP modify –> SDPROP

new with Windows Server 2008 R2: much faster

RunProtectAdminGroupsTask rootDSE LDAP modify–> SDPROP only for AdminSDHolder

Categories: MS: AD, Group Policies, PKI Tags:

Licensing Logic: What is SCE and how does it work?

Troubleshooting Adventure: A Real Life Memory Pool Leak

How to tackle Performance Issues (For System Center ConfigMgr / OpsMgr)

IIS HTTP Client certificate authentication