DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 232199 - Last Review: February 23, 2007 - Revision: 3.3

This article was previously published under Q232199

SUMMARY

The information in this article applies only to upgrading from Windows 2000 RC2 (or earlier builds) to the released version of Windows 2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of the AdminSDHolder Active Directory object. This object is used to control the permissions of user accounts that are members of the built-in Administrators or Domain Administrators groups.

Every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.

NOTE: Using the following procedure is not required if you are upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.

MORE INFORMATION

To correct this situation, use this procedure on one domain controller per domain:
  1. Install the Windows 2000 Support tools from the Windows 2000 Professional or Server CD-ROM. These tools include a utility named Dsacls.exe, which you can use to view, modify, or remove access control entries on objects in Active Directory.
  2. Create a batch file with the following text, replacing "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain):
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Everyone:CA;Change Password"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Remote Access Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;General Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Group Membership"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Logon Information"
    dsacls "cn=adminsdholder,cn=system,dc=mydomain,dc=com" /G "\Pre-Windows 2000 Compatible Access:RP;Account Restrictions"
  3. Run the batch file on the domain controller. It adds the specified Access Control entries (ACEs) for the Everyone and Pre-Windows 2000 Compatible Access groups.
  4. At a command prompt, type dsacls cn=adminsdholder,cn=system,dc=mydomain,dc=com, replacing "DC=MyDomain,DC=Com" with the distinguished name (DN) of your domain). Compare it to the following output:
    Access list:
    {This object is protected from inheriting permissions from the parent}
    Effective Permissions on this object are:
    Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      LIST CONTENTS
                                                      READ PROPERTY
                                                      LIST OBJECT
    Allow BUILTIN\Administrators                      SPECIAL ACCESS
                                                      DELETE
                                                      READ PERMISSONS
                                                      WRITE PERMISSIONS
                                                      CHANGE OWNERSHIP
                                                      CREATE CHILD
                                                      DELETE CHILD
                                                      LIST CONTENTS
                                                      WRITE SELF
                                                      WRITE PROPERTY
                                                      READ PROPERTY
                                                      LIST OBJECT
                                                      CONTROL ACCESS
    Allow IFRPILOT\Enterprise Admins                  SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      WRITE PERMISSIONS
                                                      CHANGE OWNERSHIP
                                                      CREATE CHILD
                                                      DELETE CHILD
                                                      LIST CONTENTS
                                                      WRITE SELF
                                                      WRITE PROPERTY
                                                      READ PROPERTY
                                                      LIST OBJECT
                                                      CONTROL ACCESS
    Allow FAA\Domain Admins                           SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      WRITE PERMISSIONS
                                                      CHANGE OWNERSHIP
                                                      CREATE CHILD
                                                      DELETE CHILD
                                                      LIST CONTENTS
                                                      WRITE SELF
                                                      WRITE PROPERTY
                                                      READ PROPERTY
                                                      LIST OBJECT
                                                      CONTROL ACCESS
    Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                      READ PERMISSONS
                                                      LIST CONTENTS
                                                      READ PROPERTY
                                                      LIST OBJECT
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information
                                                      READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information
                                                      READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership
                                                      READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions
                                                      READ PROPERTY
    Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information
                                                      READ PROPERTY
    Allow Everyone                                    Change Password
    					

APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbenv kbinfo KB232199
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support