Security tab of the adminSDHolder object does not display all properties (301188)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q301188

SYMPTOMS

When you view the Access Control List (ACL) on the Security tab of the AdminSDholder object properties in the Active Directory Users and Computers snap-in or ADSI Edit tool, you are unable to configure fields that are associated with user accounts or groups.

Advanced fields, such as, Change Password, Reset Password, Receive As, and Send As are not displayed, as expected.

CAUSE

This behavior can occur because the AdminSDHolder object is a container object that is used only as a template to store permissions. Even though the permissions that are applied to it are intended to be applied to the user or group objects, the ACL editor only displays the access control entries (ACEs) for the type of object that it is currently editing (the container object).

RESOLUTION

Modify the permissions of this object through the Dsacls.exe utility or a write an ADSI script.

For additional information about how to install the Dsacls.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:

301423 How to install the Windows 2000 support tools to a Windows 2000 Server-based computer

For more information on ADSI, search for this topic on the following Microsoft Web site:

http://msdn.microsoft.com

STATUS

This behavior is by design.

MORE INFORMATION

The AdminSDHolder container object is a template that holds a set of permissions that are applied to accounts that are members of the built-in Administrators or Domain Administrators groups. These permissions are applied at regular intervals. The regular application of permissions on the users in the Administrators group is a security feature designed to maintain consistent permissions on those user accounts. The AdminSDHolder container object can be located in Active Directory at the following location:

CN=adminSDHolder,CN=System,DC=MyDomain,DC=Com

Note In a Microsoft Windows Server 2003-based Active Directory domain, the Administrators group object also receives the same permissions.

For additional information about the adminSDHolder object and samples of the Dsacls command, click the following article number to view the article in the Microsoft Knowledge Base:

232199 Description and update of Active Directory AdminSDHolder object

Modification Type:MinorLast Reviewed:10/13/2004
Keywords:kbprb KB301188
©2004 Microsoft Corporation. All rights reserved.