"Access Denied" when trying to update attribute on Domain Admin user.

  • Thread starter Thread starter Walt Stringer
  • Start date Start date
W

Walt Stringer

My user account is not a Domain Admin, but I have been given
read/write permission to a User attribute across the entire AD
structure. I am able to edit this attribute for all users except for
users that are in the Domain Admins group. When I attempt to modify
the attribute on Domain Admin users...I get an "Access Denied" error
message.

Is this an explicit permission or is there a different flag that needs
to be set, or is it just not possible for a regular user to update an
attribute on a Domain Admin user?

Thanks,

Walt Stringer
 
If you check your security settings of the Admin user, you will see, that
you don't have permission to modify this object, as it is protected by
AdminSDholder process. This process kicks off every hour on server that
holds PDC role, and checks user accounts and groups that belong to Admin
groups if their security descriptors don't match the ones written in
AdminSDholder attribute, then the process resets them to match AdminSDHolder
process. More info can be found at
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180
This is made to avoid delegating user permission to modify Admin groups and
therefore possibility for such a user to add himself to admin group. This
would be a elevation pf privileges.

Regards
 
Back
Top