Microsoft Windows NT 4.0 and earlier protects the users in
administrative groups by changing the Access Control List (ACL) on the members
as they are added to the groups. Windows 2000 uses a different method to
accommodate support for nested groups and universal groups. Windows 2000
supports universal groups, which can have members in other domains and could
themselves be members of groups in other domains.
Windows 2000 uses
the SD propagator (SDPROP) background process to implement the protection of
administrative groups. This process first computes the set of memberships in
transitive fashion for all administrative groups. It then walks the list of
objects that it has and checks whether the security descriptor on the objects
is a well-known protected security descriptor. If the well-known protected
security descriptor is not set, it sets this security descriptor on the object.
This task runs only on the primary domain controller Flexible Single Master
Operation (FSMO) role holder.
The SD propagator runs in the background and updates the
inherited permissions of containers and objects in Active Directory as they are
moved from one organizational unit to another. In rare circumstances, it may be
necessary to force a run of the SD propagator manually by using the Lightweight
Directory Protocol tool (LDAP):
- To use the Ldp.exe tool, verify that the Windows 2000
Support Tools are installed by clicking Start, pointing to Programs, pointing to Administrative Tools and then locating Windows 2000 Support Tools. If this command exits, skip to step 3. If it does not exist,
continue with step 2 to install the Windows 2000 Support Tools.
- To install the Windows 2000 Support Tools, insert your
Windows 2000 installation CD-ROM, and then double-click Setup.exe in the Support\Tools folder on the CD-ROM.
- To run Ldp.exe, click Start, click Run, type ldp, and then click OK.
- Click Connection, click Connect, and then type the server name you want to connect to. This
connects over port 389 for Active Directory. Click Connection, click Bind, and then type the appropriate administrative user name,
password, and domain. Click OK. Note that you should type domain administrator or enterprise
- On the Browse menu, click Modify. In the Modify dialog box, leave the DN box blank. In the Attribute box, type FixUpInheritance. Set the Value box to Yes.
- In the Operation box, click Add. Click Enter to populate the Entry List dialog box, which should read
- Click Run. The right pane indicates "Modified." This starts the SD
propagator. The run time for the SD propagator is linear with the size of the
Active Directory database. The process is complete when the "DS Security
Propagation Events" counter in the NTDS Performance object returns to
- Click Close.
- Click Connection, and then click Exit.