Active Directory Security Permissions automatically reset
I have a Server 2008 R2 machine with Windows Deployment Services installed, which works perfectly well. However after some time (maybe a restart after installing updates) the security permissions applied in Active Directory to allow WDS to work are reset.
The required settings are:
Domain Admins: Full Control
Enteprise Admins: Full Control
Account Operators: Full Control
System: Full Control
SELF: Create All Child Objects, Delete All Child Objects, Validated write to DNS host name, Validated write to service principal name, Read Personal Information, Write Personal Information
I've applied these settings from the machine it's self and from the domain controller. I'm not sure why this is happening, there doesn't appear to a problem with any other AD settings being reset. I've read about AdminSDHolder but not sure if this applies in my case as I'm setting the permissions manually - also I've read it's not best practice to change it although admittedly this is the first time I've come across this.
How can I make AD retain these settings?
As explained in the TechNet Magazine article "AdminSDHolder, Protected Groups and SDPROP", Active Directory "protects" members of a set of "protected groups".
Every 60 minutes, the Directory Service Agent runs a background job that:
- Identifies all "protected" objects. These objects will then have their
AdminCount
attribute set to a value of1
- For each object that now matches
(&(adminCount=1))
, it copies the Security Descriptor from the AdminSDHolder container object and "stamps" the protected object with it.
This process is what is referred to as the "Security Descriptor Propagator" or "SDPROP" for short.
Backup Operators
is just one of these "Protected Groups", so if a computer account object is a member of Backup Operators
, SDPROP will "reset" the SD on said computer account object.
If you want to test this hypothesis without waiting up to 1 hour, break out PowerShell, connect to the RootDSE
of any Domain Controller in the domain and call the FixUpInheritance
routine (this is what SDPROP does internally anyways), like so:
$RDSE = [ADSI]"LDAP://dc01.my.domain.tld/RootDSE"
$RDSE.Put("FixUpInheritance",1)
$RDSE.SetInfo()
You can either remove the server from the Backup Operators
group and then manually unset the adminCount
attribute on the object, or you can change the Security Descriptor of the AdminSDHolder object, although I would strongly advise against it if you're not confident in what you are doing