Archive for December, 2013

Automatically resuming Windows PowerShell Workflow jobs at logon

How Internet Explorer Enhanced Protected Mode (EPM) is enabled under different configurations

How to Modify Security Inheritance on Active Directory Objects using PowerShell // AdminSDHolder



Get-ADgroup -LDAPFilter “(admincount=1)” | select name,SID

Get-ADuser -LDAPFilter “(admincount=1)” -Properties * | select name, memberOf

More than likely, this is due to a special container called AdminSDHolder. Active Directory protects certain accounts not to inherit delegated permission. This behavior applies to direct and nested members of the following security-groups:


The ability to control groups protected by AdminSDHolder is enabled by modifying the dsHeuristic flag. This is a Unicode string in which each character contains a value for a single forest-wide setting. Character position 16 is interpreted as a hexadecimal value, where the left-most character is position 1.

There’s an easy way to determine which users and groups AdminSDHolder protects in your domain. You can query the adminCount attribute to determine whether an object is protected by the AdminSDHolder object. The following examples use the ADFind.exe tool, which can be downloaded from


Orphaned AdminSDHolder Objects

When a user is removed from a protected group, the adminCount attribute on that user account does not change; the value 1 remains. Furthermore, the status of inheritance is not changed. As a result, the user account no longer receives its ACL from the AdminSDHolder object, but it also doesn’t inherit any permissions from parent objects, provided inheritance has not been enabled on the AdminSDHolder object. The common term for this issue is "orphaned AdminSDHolder objects." There is no automated mechanism to fix inheritance on objects that no longer belong to protected groups; you must deal with orphaned AdminSDHolder objects manually. Microsoft has developed and made available a VB Script that will assist you in re-enabling inheritance on user accounts that were previously members of protected groups. To find the VB Script, go to Delegated permissions are not available and inheritance is automatically disabled.

How can I force AdminSDHolder permissions to be enforced?

for all Versions of AD:

FixUpInheritance rootDSE LDAP modify –> SDPROP

new with Windows Server 2008 R2: much faster

RunProtectAdminGroupsTask rootDSE LDAP modify–> SDPROP only for AdminSDHolder

Licensing Logic: What is SCE and how does it work?

Troubleshooting Adventure: A Real Life Memory Pool Leak

How to tackle Performance Issues (For System Center ConfigMgr / OpsMgr)

IIS HTTP Client certificate authentication

All in One ConfigMgr SCCM 2012 R2 Tool Kit Guide

App-V 5.0 – some special Reports

How to create a Custom Attribute Store for Active Directory Federation Services 3.0

Haswell-EP and Broadwell-EP Xeons on time: Intel server CPU gravy train speeds further

Haswell-EP and Broadwell-EP Xeons on time: Intel server CPU gravy train speeds further

Intel Broadwell-EP Xeon E5 v4: Focus on more cores and reliability

Categories: Computer: Hardware Tags:

Licensing: RDS Use Rights for non-VL Office 365

Lync 2013 Persistent Chat HA\DR Deep Dive

Back To The Future: Working with date data types in Active Directory PowerShell

Windows Server 2012 R2: Lab Ops–Building a VDI environment with powershell

Part 1: Inroduction

Part 2: The Lee-Robinson Script

Part 3: Storage in Windows Server 2012R2

Part 4: Using PowerShell with Storage

Part 5: Access Rights in PowerShell

Part 6: Setup VDI in Windows Server

Part 7: Setting up a pooled VDI collection in Windows Server 2012 R2

Part 8: Tidying up

Part 9: an Introduction to Failover Clustering

Part 10: Scale Out File Servers

Part 11: Server Core

Part 12: A crude but effective Domain Controller

Windows Azure Pack blog posts on Building Clouds & TechNet

How to Build Your ADFS Lab on Server 2012 (R2)

Using PowerShell with System Center 2012 R2 Configuration Manager Maintenance Tasks

Translate “Content_" folders into plain English in the 2012 ConfigMgr Content Library

Domain and DC Migrations: How To Monitor LDAP, Kerberos and NTLM Traffic To Your Domain Controllers