How does ADMonitor determine if a user is an admin?

EventSentry ADMonitor utilizes the adminCount attribute that is associated with AD user accounts to determine whether a user has administrative permissions. Windows sets this attribute when a user is added to what is referred to as a "protected group" (see below). Unfortunately Windows does not remove the attribute if a user is subsequently removed from all protected groups, which means that users that are not admins may still be flagged as admin users in AD and ADMonitor.

The adminCount attribute is found on user objects in Active Directory. If the value of this attribute is or 0 then the user is not protected by the SD Propagation and as such not considered an admin. If the adminCount is set, then a value of 1 (or higher) indicates that the user is or has been a member of a protected group.

To reset the adminCount attribute for users that are no longer admins, do the following:

• Open Active Directory Users and Computers
• In the View menu enable Advanced Features
• Locate the user account(s) that incorrectly have the adminCount attribute set and open the properties
• Click on the Attribute Editor tab
• Locate and double-click the adminCount attribute
• Click the Clear button and OK

After the next refresh interval, the affected users should no longer show up as admin users.

For reference purposes, the following table contains the protected groups in Active Directory listed by domain controller operating system.

AdminSDHolder is a container in AD that holds the Security Descriptor applied to members of protected groups. The ACL can be viewed on the AdminSDHolder object itself. Open Active Directory Users and Computers and ensure Advanced Features is selected in the View menu. Navigate to the ‘system’ container under the domain and right-click on the sub-container called AdminSDHolder and select properties. The Security tab displays the ACL that will be applied to all members of protected groups.