AdminSDHolder Thread Affects Transitive Members of Distribution Groups (318180)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP3
This article was previously published under Q318180 SUMMARY An Active Directory domain controller that holds the
primary domain controller (PDC) operations master role (also known as the
flexible single master operations role or the FSMO role) runs a thread every
hour to check the access control lists (ACLs) on the following groups and all
of the member objects of these groups:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
- Domain Controllers
- Cert Publishers
- Backup Operators
- Replicator Server Operators
- Account Operators
- Print Operators
If a user account is a member of one of these administrative
groups because of its membership with a distribution group, the user account's
ACL is checked when the thread is run and may be reset to match the ACL of the
AdminSDHolder thread. If you use the repadmin /showmeta user distinguished name command to view the user account, you see that the ntSecurityDescriptor attribute is set within one hour after the last time you changed
the ACL on the user account. The user account also contains the AdminCount attribute. This article describes how the AdminSDHolder
thread affects transitive members of distribution groups.
For additional information
about the AdminSDHolder thread, click the following article number to view the article in the Microsoft Knowledge Base:
232199
Description and update of Active Directory AdminSDHolder object
MORE INFORMATION Membership of a distribution group does not normally have
any security significance. For example, if UserA is a member of Distribution
GroupA and Distribution GroupA is a member of the Domain Admins group, UserA is
not a member of the Domain Admins group if the user is logged on to the
computer. The distribution group blocks security group membership. However, the
enumeration algorithm that is used by the AdminSDHolder thread is fast and
simple and it includes UserA during the transitive iteration of the Domain
Admins group.
You can change groups from being a distribution group
to a security group; therefore, the enumeration algorithm that is used by the
AdminSDHolder thread ensures that all transitive members are covered in both
cases. Do not make distribution groups members of security groups, if possible.
You do not experience unexpected behavior after you change the group from a
distribution group to a security group if you do not make distribution groups
members of security groups. A user that is covered by the enumeration algorithm
that is used by the AdminSDHolder thread has an AdminCount attribute that has a value that is greater than or equal to 1.
| Modification Type: | Major | Last Reviewed: | 4/8/2004 |
|---|
| Keywords: | kbenv kbinfo KB318180 |
|---|
|