Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
In addition, there are two accounts which are also protected:
Administrator
Krbtgt
You can read more about adminSDholder on technet, but in summary any object with this flag has its ACL overwritten with a copy from the SDholder object located in the System container. Inheritance is also blocked on these accounts so that their ACLs do not get overwritten by another method.
And the article took me to a support article detailing behavior you might expect if you have this happening to accounts which once were members of a protected group and a vbscript on how to clean up that.
The real solution is probably to delete these accounts, but that was not feasible in this situation so I set out to recreate that vbscript's functionality in PS. Using the AD cmdlets, it becomes so much more elegant...
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators
In addition, there are two accounts which are also protected:
Administrator
Krbtgt
You can read more about adminSDholder on technet, but in summary any object with this flag has its ACL overwritten with a copy from the SDholder object located in the System container. Inheritance is also blocked on these accounts so that their ACLs do not get overwritten by another method.
And the article took me to a support article detailing behavior you might expect if you have this happening to accounts which once were members of a protected group and a vbscript on how to clean up that.
The real solution is probably to delete these accounts, but that was not feasible in this situation so I set out to recreate that vbscript's functionality in PS. Using the AD cmdlets, it becomes so much more elegant...
$adminusers = Get-ADuser -LDAPFilter "(&(objectcategory=person)(objectClass=user)(admincount=1))" | where {$_.name -ne "krbtgt" -and $_.name -ne "Administrator"} ForEach($user in $adminusers) { Set-ADuser -Identity $user -replace @{Admincount = 0} $dACL = Get-ACL ($user.DistinguishedName) $dACL.SetAccessRuleProtection($false,$false) Set-ACL -Path $user.DistinguishedName -AclObject $dACL }
Wow! That's much better.
Don't do this in your production environment unless you really know the full consequences.
