The AdminSDHolder object controls the security settings on the Builtin Administrators, Schema Administrators, Enterprise Administrators, and Domain Administrators groups.
Note You can see the AdminSDHolder object in the System container in the Active Directory Users and Computers snap-in. You have to configure the Active Directory Users and Computers snap-in to display
Advanced Features for the System container to be visible. To turn on Advanced Features, in the Active Directory Users and Computers snap-in, click
Advanced Features on the
View menu.
The access control list (ACL) on the AdminSDHolder object functions as a template for the ACLs that are on members of the various administrative groups in the domain. This is to prevent the ACLs for administrative accounts from being changed, either manually or by moving the accounts to another container.
Every hour, the Microsoft Windows domain controller that has the primary domain controller (PDC) emulator operations master role verifies the ACLs on members of these administrative groups and compares them to the ACL on the AdminSDHolder object. If the ACL that is on the AdminSDHolder object is different, the ACLs on the members of the administrative group are reset to match the ACL on the AdminSDHolder object.
During the domain preparation operation (DomainPrep), the Exchange Enterprise Servers group is granted Full Control permissions to the Exchange Enterprise Servers and Exchange Domain Servers groups. These permissions are required for Exchange Setup to finish. Because the Exchange Enterprise Servers group is not granted Full Control permisions to the AdminSDHolder object, if the Exchange Domain Servers group is added to the Builtin Administrators group, the permissions granted through the domain preparation operation are later removed.
If you view the Exchange Server Setup Progress Log (located on the root of the boot partition, for example, C:\Exchange Server Setup Progress.log), you can see the following text:
[03:24:35] Prerequisites for Microsoft Exchange Instant Messaging Service failed: The component "Microsoft Exchange Messaging and Collaboration Services" cannot be assigned the action "Install" because:
- You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.
- The installation directory "H:\Program Files\Exchsrvr\MDBDATA" must not contain any files
[03:24:35] The component "Microsoft Exchange Messaging and Collaboration Services" cannot be assigned the action "Install" because:
- You do not have sufficient permissions in the Domain. The Domain administrator must re-run setup /domainprep or you must create a recipient update service for this domain to update the permissions.
- The installation directory "H:\Program Files\Exchsrvr\MDBDATA" must not contain any files
[03:28:05] CComBOIFacesFactory::QueryInterface (K:\admin\src\udog\BO\bofactory.cxx:52)
Error code 0X80004002 (16386): No interface.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
232199
Description and update of the Active Directory AdminSDHolder object
318180 AdminSDHolder thread affects transitive members of distribution groups