admincount and adminsdholder

[Brooke Justice]

Ok, I've read everything I could find on MS's site and in the newsgroups
about admincount and adminsdholder. One thing that I can't find stated, but
looks like it works, is if an account has an admincount = 1 set becaues it
is in an administrative, or protected, group and then you go and set the
admincount to "<not set>", when the sdprop thread runs again (or is forced
to run) the admincount will be set back to 1 and then the ACL and
inheritance will also be set like the adminsdholder. Is this how it's
supposed to work? The reason I ask is that it looks as if the script that MS
provides in KB817433 looks as if it changes all accounts whose admincount
attribute is set to 1. This of course would include all accounts that are
legitimitely adminstrative. From what I can tell though, the accounts that
are left in administrative groups will be changed when the script runs, but
as soon as sdprop runs again the inheritance is cleared, the admincount is
set back to 1, and the ACL is set like the adminsdholder.

Hope that all makes sense... I'm setting up another Virtual W2000 server,
but wanted to see if anyone could provide some input as well.

Thanks,
Brooke

 

[Joe Richards [MVP]]

Correct. Any secprins still in the admin groups will get admincount reset to 1
and will have adminSDHolder perms reapplied.

joe

 

[Brooke Justice]

Thanks Joe. I appreciate the input - and all your input to everyone else as
well. Very helpful!

Brooke