adminCount not resetting after user removed from protected group

Ran into the typical adminSDHolder issue of permissions being reset after an
hour. The puzzle was that it was affecting some users not in any protected
groups. I ran ADFind from joeware and it returned all the users with the
adminCount set to 1; this included some disabled users who are members of
nothing other than Domain Users. i confirmed the adminCount value in
ADSIEdit. i thought the adminCount was supposed to automatically reset afte
a user is removed from a protected group? I assume it's safe to use ADSIEdit
to reset the value to Not Set on users no longer in the protected groups?

It will never change on its own. I have encountered this in every
environment that we manage. In a couple of environments there were users
who *were* in a protected group two years ago and the value for adminCount
is still "1".

I have always used ldifde to do what you are asking....but you can use
adsiedit as well.

HTH,

Cary

"TPGBrennan" <TPGBrennan@discussions.microsoft.com> wrote in message
news:24599D89-2134-4C3E-9396-F018EE18A21B@microsoft.com...
> Ran into the typical adminSDHolder issue of permissions being reset after
> an
> hour. The puzzle was that it was affecting some users not in any
> protected
> groups. I ran ADFind from joeware and it returned all the users with the
> adminCount set to 1; this included some disabled users who are members of
> nothing other than Domain Users. i confirmed the adminCount value in
> ADSIEdit. i thought the adminCount was supposed to automatically reset
> afte
> a user is removed from a protected group? I assume it's safe to use
> ADSIEdit
> to reset the value to Not Set on users no longer in the protected groups?

Hello TPGBrennan,

It is correct, after adding a user account to a protected group and removing
it the admincount will stay on 1 until you reconfigure it. After removing
the account from the group, enable ACL inheritance, reset the default permissions
and set "adminCount=<not set>"

See:
http://blogs.dirteam.com/blogs/jorge...05/16/981.aspx

http://blogs.dirteam.com/blogs/jorge.../11/16/86.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ran into the typical adminSDHolder issue of permissions being reset
> after an hour. The puzzle was that it was affecting some users not in
> any protected groups. I ran ADFind from joeware and it returned all
> the users with the adminCount set to 1; this included some disabled
> users who are members of nothing other than Domain Users. i confirmed
> the adminCount value in ADSIEdit. i thought the adminCount was
> supposed to automatically reset afte a user is removed from a
> protected group? I assume it's safe to use ADSIEdit to reset the
> value to Not Set on users no longer in the protected groups?
>

You may find the following useful:
http://technet.microsoft.com/en-us/m...minholder.aspx


--

JPolicelli, MVP - Directory Services

http://www.policelli.com
http://policelli.com/blog

This posting is provided AS IS with no warranties and confers no rights.
Always plan and test.

----

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662d5418cbeb5537007c46@msnews.microsoft.com...
> Hello TPGBrennan,
>
> It is correct, after adding a user account to a protected group and
> removing it the admincount will stay on 1 until you reconfigure it. After
> removing the account from the group, enable ACL inheritance, reset the
> default permissions and set "adminCount=<not set>"
>
> See:
> http://blogs.dirteam.com/blogs/jorge...05/16/981.aspx
>
> http://blogs.dirteam.com/blogs/jorge.../11/16/86.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Ran into the typical adminSDHolder issue of permissions being reset
>> after an hour. The puzzle was that it was affecting some users not in
>> any protected groups. I ran ADFind from joeware and it returned all
>> the users with the adminCount set to 1; this included some disabled
>> users who are members of nothing other than Domain Users. i confirmed
>> the adminCount value in ADSIEdit. i thought the adminCount was
>> supposed to automatically reset afte a user is removed from a
>> protected group? I assume it's safe to use ADSIEdit to reset the
>> value to Not Set on users no longer in the protected groups?
>>
>
>

Hello JPolicelli [MVP-DS],

Really good article about the relationship and "why is this". Also the steps
to modify easy described. Well done :-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> You may find the following useful:
> http://technet.microsoft.com/en-us/m...minholder.aspx
> http://www.policelli.com
> http://policelli.com/blog
> This posting is provided AS IS with no warranties and confers no
> rights. Always plan and test.
>
> ----
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb662d5418cbeb5537007c46@msnews.microsoft.com...
>
>> Hello TPGBrennan,
>>
>> It is correct, after adding a user account to a protected group and
>> removing it the admincount will stay on 1 until you reconfigure it.
>> After removing the account from the group, enable ACL inheritance,
>> reset the default permissions and set "adminCount=<not set>"
>>
>> See:
>> http://blogs.dirteam.com/blogs/jorge...05/16/981.aspx
>> http://blogs.dirteam.com/blogs/jorge.../11/16/86.aspx
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Ran into the typical adminSDHolder issue of permissions being reset
>>> after an hour. The puzzle was that it was affecting some users not
>>> in any protected groups. I ran ADFind from joeware and it returned
>>> all the users with the adminCount set to 1; this included some
>>> disabled users who are members of nothing other than Domain Users.
>>> i confirmed the adminCount value in ADSIEdit. i thought the
>>> adminCount was supposed to automatically reset afte a user is
>>> removed from a protected group? I assume it's safe to use ADSIEdit
>>> to reset the value to Not Set on users no longer in the protected
>>> groups?
>>>