Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Security tab of the adminSDHolder object does not display all properties


View products that this article applies to.

This article was previously published under Q301188

↑ Back to the top


Symptoms

When you view the Access Control List (ACL) on the Security tab of the AdminSDholder object properties in the Active Directory Users and Computers snap-in or ADSI Edit tool, you are unable to configure fields that are associated with user accounts or groups.

Advanced fields, such as, Change Password, Reset Password, Receive As, and Send As are not displayed, as expected.

↑ Back to the top


Cause

This behavior can occur because the AdminSDHolder object is a container object that is used only as a template to store permissions. Even though the permissions that are applied to it are intended to be applied to the user or group objects, the ACL editor only displays the access control entries (ACEs) for the type of object that it is currently editing (the container object).

↑ Back to the top


Resolution

Modify the permissions of this object through the Dsacls.exe utility or a write an ADSI script.

For additional information about how to install the Dsacls.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:
301423� How to install the Windows 2000 support tools to a Windows 2000 Server-based computer
For more information on ADSI, search for this topic on the following Microsoft Web site:

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

The AdminSDHolder container object is a template that holds a set of permissions that are applied to accounts that are members of the built-in Administrators or Domain Administrators groups. These permissions are applied at regular intervals. The regular application of permissions on the users in the Administrators group is a security feature designed to maintain consistent permissions on those user accounts. The AdminSDHolder container object can be located in Active Directory at the following location:
CN=adminSDHolder,CN=System,DC=MyDomain,DC=Com
Note In a Microsoft Windows Server 2003-based Active Directory domain, the Administrators group object also receives the same permissions.

For additional information about the adminSDHolder object and samples of the Dsacls command, click the following article number to view the article in the Microsoft Knowledge Base:
232199� Description and update of Active Directory AdminSDHolder object

↑ Back to the top


Keywords: KB301188, kbprb

↑ Back to the top

Article Info
Article ID : 301188
Revision : 7
Created on : 2/27/2007
Published on : 2/27/2007
Exists online : False
Views : 385