How does ADMonitor determine if a user is an admin?
EventSentry ADMonitor utilizes the adminCount attribute that is associated with AD user accounts to determine whether a user has administrative permissions. Windows sets this attribute when a user is added to what is referred to as a "protected group" (see below). Unfortunately Windows does not remove the attribute if a user is subsequently removed from all protected groups, which means that users that are not admins may still be flagged as admin users in AD and ADMonitor.
The adminCount attribute is found on user objects in Active Directory. If the value of this attribute is
To reset the adminCount attribute for users that are no longer admins, do the following:
- Open Active Directory Users and Computers
- In the View menu enable Advanced Features
- Locate the user account(s) that incorrectly have the adminCount attribute set and open the properties
- Click on the Attribute Editor tab
- Locate and double-click the adminCount attribute
- Click the Clear button and OK
After the next refresh interval, the affected users should no longer show up as admin users.
For reference purposes, the following table contains the protected groups in Active Directory listed by domain controller operating system.
| Windows Server 2003 RTM | Windows Server 2003 SP1+ | Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 | Windows Server 2016, Windows Server 2019 |
|---|---|---|---|
| Account Operators | Account Operators | Account Operators | Account Operators |
| Administrator | Administrator | Administrator | Administrator |
| Administrators | Administrators | Administrators | Administrators |
| Backup Operators | Backup Operators | Backup Operators | Backup Operators |
| Cert Publishers | - | - | - |
| Domain Admins | Domain Admins | Domain Admins | Domain Admins |
| Domain Controllers | Domain Controllers | Domain Controllers | Domain Controllers |
| Enterprise Admins | Enterprise Admins | Enterprise Admins | Enterprise Admins |
| - | - | - | Enterprise Key Admins |
| - | - | - | Key Admins |
| Krbtgt | Krbtgt | Krbtgt | Krbtgt |
| Print Operators | Print Operators | Print Operators | Print Operators |
| - | - | Read-only Domain Controllers | Read-only Domain Controllers |
| Replicator | Replicator | Replicator | Replicator |
| Schema Admins | Schema Admins | Schema Admins | Schema Admins |
| Server Operators | Server Operators | Server Operators | Server Operators |
AdminSDHolder is a container in AD that holds the Security Descriptor applied to members of protected groups. The ACL can be viewed on the AdminSDHolder object itself. Open Active Directory Users and Computers and ensure Advanced Features is selected in the View menu. Navigate to the ‘system’ container under the domain and right-click on the sub-container called AdminSDHolder and select properties. The Security tab displays the ACL that will be applied to all members of protected groups.
