July 15, 2013

How to View the ACL on the AdminSDHolder Obect in Active Directory

In Active Directory domains, special protection is provided by default to all members of specific default administrative groups, to minimize the risk of security compromise.

Active Directory Administrative Accounts / Groups protected by AdminSDHolder

Specifically, all direct and indirect (nested) members of a set of specific default administrative groups, including groups such as Domain Admins, Enterprise Admins, Builtin Admins, Accounts Operators, Server Operators and others are provided special protection by the system to reduce the likelihood of someone obtaining unauthorized access on these the user accounts belonging to the members of these groups.

The "system" does this by applying a special security descriptor on a specially designated object called AdminSDHolder. This special object resides in the "System" container in Active Directory domains and can be identified by the distinguished name, cn=AdminSDHolder,cn=System,dc=<domain>.

The security descriptor applied on this object is "protected" meaning that it does not inherit any permissions from any parent object. Furthermore, the security permissions specified in this ACL are specially configured to provide optimal protection for all protected objects.

The system runs a special process called SDProp on domain controllers, and thus process takes the security descriptor (SD) on this object and applies it to all user and computer accounts that effectiely belong to one or more of the special protected administrative groups.

This is intended to ensure that even if the user account of one of the members of one of the administrative groups resides in a specific OU that is within the administrative control of a delegated administrator, that delegated administrator does not have any administrative access on that user account, because if he/she did, it would essentially him/her to elevate their privilege and become a more powerful administrator.


How to View the ACL on the AdminSDHolder Obect in Active Directory

Sometimes administrative personnel need to be able to view the ACL protecting the AdminSDHolder object. Most often this is done to analyze what access is granted on this object, so that one can in turn determine what access is granted on all administrative accounts in the domain.

One of the most commonly used ways to view the ACL on the AdminSDHolder object is to use a tool, such as dsacls, that can display the ACL of an Active Directory object.

Using dsacls to view AdminSDHolder Permissions

Although dsacls can show the ACL of the object in a command-line format, sometimes it is helpful to be able to view the object's ACL in a GUI form, especially if a tool can help analyze the permissions in the object's ACL easily, such as by providing the ability to sort the object's ACL based on permission type.

The 004 edition of our Gold Finger Active Directory Audit Tool is one such Active Directory ACL Viewer/Exporter/Analyzer that can help easily analyze Active Directory ACLs. It can of course also be used to view the ACL of the AdminSDHolder object -

Active Directory ACL Viewer - Simple View


If you click the View Details button, Gold Finger automatically shows all the permissions in their own colums, so that you can then easily analyze the entire ACL by permission type -

Gold Finger 003 Edition - World's Most Capable Active Directory ACL Viewer/Export/Dump Tool

In fact, it can be used to view the ACL of any Active Directory object in any partition. It also makes it very easy to export the entire ACL to a CSV file. It can also show you all the inheritance flags, as well as let you sort the ACL by type, security principal, inheritance and other relevant fields.

It thus helps analyze and maintain Active Directory security in your Windows Server environment.


All IT personnel who are responsible for administering Active Directory environments must be familiar with the AdminSDHolder object and the security specified in its ACL, because it determines the security afforded to all administrative accounts and groups, and that in turn determines the security afforded to the entire Active Directory deployment.

For more information on Active Directory Security, including Top Risks, Mitigations, Guides, Checklists, Tools, Technicals and other resources, please visit - http://www.paramountdefenses.com/active-directory-security