How does ADMonitor determine if a user is an admin?

Article ID: 412
Category: ADMonitor
Applies to: 4.0 or newer
Updated: 2019-12-20

EventSentry ADMonitor utilizes the adminCount attribute that is associated with AD user accounts to determine whether a user has administrative permissions. Windows sets this attribute when a user is added to what is referred to as a "protected group" (see below). Unfortunately Windows does not remove the attribute if a user is subsequently removed from all protected groups, which means that users that are not admins may still be flagged as admin users in AD and ADMonitor.

The adminCount attribute is found on user objects in Active Directory. If the value of this attribute is or 0 then the user is not protected by the SD Propagation and as such not considered an admin. If the adminCount is set, then a value of 1 (or higher) indicates that the user is or has been a member of a protected group.

To reset the adminCount attribute for users that are no longer admins, do the following:

  • Open Active Directory Users and Computers
  • In the View menu enable Advanced Features
  • Locate the user account(s) that incorrectly have the adminCount attribute set and open the properties
  • Click on the Attribute Editor tab
  • Locate and double-click the adminCount attribute
  • Click the Clear button and OK

After the next refresh interval, the affected users should no longer show up as admin users.

For reference purposes, the following table contains the protected groups in Active Directory listed by domain controller operating system.

Windows Server 2003 RTM Windows Server 2003 SP1+ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 Windows Server 2016, Windows Server 2019
Account Operators Account Operators Account Operators Account Operators
Administrator Administrator Administrator Administrator
Administrators Administrators Administrators Administrators
Backup Operators Backup Operators Backup Operators Backup Operators
Cert Publishers - - -
Domain Admins Domain Admins Domain Admins Domain Admins
Domain Controllers Domain Controllers Domain Controllers Domain Controllers
Enterprise Admins Enterprise Admins Enterprise Admins Enterprise Admins
- - - Enterprise Key Admins
- - - Key Admins
Krbtgt Krbtgt Krbtgt Krbtgt
Print Operators Print Operators Print Operators Print Operators
- - Read-only Domain Controllers Read-only Domain Controllers
Replicator Replicator Replicator Replicator
Schema Admins Schema Admins Schema Admins Schema Admins
Server Operators Server Operators Server Operators Server Operators

AdminSDHolder is a container in AD that holds the Security Descriptor applied to members of protected groups. The ACL can be viewed on the AdminSDHolder object itself. Open Active Directory Users and Computers and ensure Advanced Features is selected in the View menu. Navigate to the ‘system’ container under the domain and right-click on the sub-container called AdminSDHolder and select properties. The Security tab displays the ACL that will be applied to all members of protected groups.




Tags