Allow non-admin users to manage admin AD accounts using dsacls.

It is common for companies to have service or help desks tasked with unlocking user accounts and resetting passwords, but not granting those users administrative rights. One strategy is to minimize the number of named user admin accounts to a number manageable by other admins, and having enough staff to prevent the SLA impacts of delays, but that may be unfeasible for many reasons.

In Microsoft Active Directory (AD) users that aren’t in administrative groups cannot unlock, or reset passwords for users that are in administrative groups. If you try to delegate those privileges to non-admin users using the AD GUI it will appear to work for a short while – your help desk tech will be able to unlock a domain admin user account – but that privilege will disappear within an hour.

This is due to the AdminSDHolder mechanism, and it’s more accurate to say users that aren’t in protected groups cannot manage AD objects that are protected, such as domain admins, schema admins, and so on. Every 60 minutes a process called Security Descriptor Propagation (SDPROP) will search for protected AD objects and reset any changes made to the its ACL. A copy of each protected object’s ACL is securely stored in ADs AdminSDHolder container.

To read more about the mechanics, see this Microsoft TechNet article, or consult THE Google.

To grant your service desk members Reset Password, Change Password, and Unlock Account privileges run the following commands in PowerShell. I prefer to use PowerShell ISE to format the commands and then run them while monitoring the output.

Replace the domain fakedomain.com with your own AD domain, and use your own custom AD Group instead of Service-Desk-Group.

dsacls "cn=AdminSDHolder,cn=System,dc=fakedomain,dc=com" /G "FAKEDOMAIN\Service-Desk-Group:CA;Reset Password"
dsacls "cn=AdminSDHolder,cn=System,dc=fakedomain,dc=com" /G "FAKEDOMAIN\Service-Desk-Group:CA;Change Password"
dsacls "cn=AdminSDHolder,cn=System,dc=fakedomain,dc=com" /G "FAKEDOMAIN\Service-Desk-Group:RPWP;lockoutTime"
dsacls "cn=AdminSDHolder,cn=System,dc=fakedomain,dc=com" /G "FAKEDOMAIN\Service-Desk-Group:RPWP;pwdLastSet"

To later DENY those permissions to the same group or users use the /D switch instead of /G. D=Deny, G=Grant. For example:

dsacls "cn=AdminSDHolder,cn=System,dc=fakedomain,dc=com" /D "FAKEDOMAIN\Service-Desk-Group:CA;Reset Password"

Now your service desk technicians can unlock a the only available domain administrator’s account at 3am on Sunday during a production outage. Ensure you have proper user auditing, policies, and compensating controls to prevent abuse.

Now, say you have different issue. Your non-admin service desk cannot unlock the account of a user that is NOT in any protected group. The user may have been an admin at one point, but was de-elevated. In this case the user’s AD object still has the attribute adminCount set to 1, and this can be manually changed to 0. To do so:

1. Open Active Directory Users and Computers.
2. Click View.
3. Checkmark Advanced Features if it’s not already checkmarked.
4. Still within Active Directory Users and Computers, find the user’s account.
5. Double-click on the user’s account, or right-click and select Properties to open the Properties menu.
6. In the user properties, open the Attribute Editor tab.
7. Find the adminCount attribute and double-click it.
8. If it’s set to 1, change the 1 to a 0.
9. Click OK.
10. Click Apply and/or OK to apply the change.

NOTE: if the adminCount is changed back from 0 to 1 after an hour then the user is still in a protected / admin group.

You can also exclude certain groups from the AdminSDHolder mechanism. These are Account Operators, Server Operators, Print Operators, and Backup Operators. Members of these groups can perform builtIn admin tasks, and non-admin users/groups can be delegated control over those accounts without interference from the AdminSDHolder mechanism. To so so:

1. Open ADSI Edit.
2. Open Properties under CN=Directory Services,CN=Windows NT,CN=Services,CN=Configuration,DC=fakedomain,DC=com but replace fakedomain.com with your own domain.
3. Under the Attribute Editor tab, scroll down to the dsHeuristic flag.
4. The dsHeuristic flag value should be <not set>. If it contains a value you’ll need to note that number and read the following very carefully to apply the proper value you want.
5. Set the dsHeuristcs value to the hexadecimal sum of the groups you wish to exclude, using the following calculations.
6. Click OK, then Apply and/or OK to exit.

Each group has the following binary values. You want to add the binary values together of all groups you wish to exclude from the AdminSDHolder mechanism, then convert that to hexadecimal.

Account Operators = 0001
Server Operators  = 0010
Print Operators   = 0100
Backup Operators  = 1000

To exclude Backup Operators and Print Operators the binary value sum is 1100, which is C in Hexadecimal. To add Account Operators and Server Operators the binary sum is 0011 and the Hex is 3.

If the existing value of dsHeuristics is 3, then Account Operators and Server Operators are already excluded, so if you want to exclude Print Operators and Backup Operators, but remove Server Operators (for example) that should be 1101 in binary, or D in hexadecimal.