Preventing Unauthorized Modification of AD Permissions

Q: Does Active Directory (AD) provide a mechanism to protect against unauthorized modification of AD permissions on high-privilege Windows accounts such as administrators? If such a mechanism exists, how can I fine-tune it?

A: Yes, you can protect against unauthorized modification of the AD permissions on accounts that are members of one of the built-in Windows Administrator groups. Microsoft provides a mechanism that automatically resets the permissions on these accounts at regular intervals. This mechanism is based on a special AD container object called AdminSDHolder. Every hour, the holder of the PDC Emulator master of operations role compares the permissions on the administrator accounts against the permissions on the CN=AdminSDHolder, CN=System, DC=, DC= container. If the permissions are different, the PDC Emulator changes the security descriptor on the administrator object to reflect the permissions on the AdminSDHolder container. AdminSDHolder also automatically disables permission inheritance on the AD administrator objects.

In Windows 2000, this feature applies to members of the Enterprise Admins, Schema Admins, Domain Admins, and Administrators groups. In Windows Server 2003, it also applies to members of the Account Operators, Server Operators, Print Operators, Backup Operators, and Cert Publishers groups. The latter is also true on Win2K systems if you've installed the hotfix that the Microsoft article "New Resolution for Problems That Occur When Users Belong to Many Groups" (http://support.microsoft.com/?kbid=327825) discusses.

To change the permissions that the PDC Emulator applies to the administrator accounts, you must change the permissions on the AdminSDHolder container. Because AdminSDHolder is a container object, not all permissions applicable to a user account object can be set from the Windows GUI. For example, you can't set the change password permission from the GUI. To do so, you can use the dsacls command-line utility as the following example shows.

dsacls cn=adminsdholder,cn=system,dc= /G "Everyone:CA;Change Password"