Security tab of the adminSDHolder object does not display all properties

When you view the Access Control List (ACL) on the Security tab of the AdminSDholder object properties in the Active Directory Users and Computers snap-in or ADSI Edit tool, you are unable to configure fields that are associated with user accounts or groups.

Advanced fields, such as, Change Password, Reset Password, Receive As, and Send As are not displayed, as expected.

This behavior can occur because the AdminSDHolder object is a container object that is used only as a template to store permissions. Even though the permissions that are applied to it are intended to be applied to the user or group objects, the ACL editor only displays the access control entries (ACEs) for the type of object that it is currently editing (the container object).

Modify the permissions of this object through the Dsacls.exe utility or a write an ADSI script.

For additional information about how to install the Dsacls.exe utility, click the following article number to view the article in the Microsoft Knowledge Base: For more information on ADSI, search for this topic on the following Microsoft Web site:

This behavior is by design.

The AdminSDHolder container object is a template that holds a set of permissions that are applied to accounts that are members of the built-in Administrators or Domain Administrators groups. These permissions are applied at regular intervals. The regular application of permissions on the users in the Administrators group is a security feature designed to maintain consistent permissions on those user accounts. The AdminSDHolder container object can be located in Active Directory at the following location: Note In a Microsoft Windows Server 2003-based Active Directory domain, the Administrators group object also receives the same permissions.

For additional information about the adminSDHolder object and samples of the Dsacls command, click the following article number to view the article in the Microsoft Knowledge Base: