Security Focus: AD Objects Configured as AdminCount -eq 1

Let's go!

In Active Directory, AdminSDHolder is an object in each domain partition's system container. It has a security descriptor that is stamped hourly on any AD object marked as AdminCount -eq 1. This 'fix up' is performed by a process called SDProp on the PDCe. The security descriptor / ACL can be thought of as a template and is a means of protecting high privileged users and groups.

 

How do I find objects marked as AdminCount -eq 1?

Simple. This little code sample creates a report of all the objects in the forest with this configuration.

 
#Loop through each domain in the forest
(Get-ADForest).Domains | ForEach-Object {

    #Find objects configured with admincount = 1
    $Findings = Get-ADObject -Filter {(AdminCount -eq 1)} -Server $_ -ErrorAction SilentlyContinue

    #If $Findings is populated, export to CSV
    if ($Findings) {

        #Get short domain name
        $DomainName = (Get-ADDomain -Identity $_).Name.ToUpper()
        $Findings | Export-Csv -Path ".\$($DomainName)_ADMINCOUNT_EQUALS_ONE.csv"

    }   #End of if ($Findings)

}   #End of ForEach-Object

 

Who cares?

I do and you should, too. These objects will always get the AdminSDHolder ACL, which comes with 'block inheritance' configured. Anything in scope can't be successfully delegated or updated with a custom permission... because after an hour... boom! Back to square one. You may be expecting a certain behaviour and it just doesn't persist.