Roughly a year ago, I shared how to properly delegate Directory permissions to Azure AD Connect service accounts. One of the issues you might encounter with those steps is that you privileged accounts and previously-privileged accounts might present permission-issue errors in Azure AD Connect’s Synchronization Service Manager:
Initially, I didn’t include these accounts into the synchronization scope of Azure AD Connect, and it’s a recommended practice from Microsoft to not synchronize Tier 0 privileged accounts. However, there are a lot more user objects that suffer from this particular challenge:
- Members of the Backup Operators group
- Members of the Print Operators group
- Members of the Server Operators group
- Members of the Account Operators group
What these accounts have in common is that their security descriptors are governed by AdminSDHolder. These accounts all have in common that their adminCount attributes are set to 1.
AdminSDHolder is a container that exists in all Active Directory domains, in the System container and a background process.
- The AdminSDHolder container contains a Master Security Descriptor (SD) for the protected groups and their members in Active Directory.
- The AdminSDHolder process runs in the background, every 60 minutes on the Domain Controller with the PDC Emulator FSMO role.
When AdminSDHolder runs, it transitively expands the list of protected groups and all its nested groups (both security and distribution groups) and compares the security descriptor for member groups and users with its own Master SD. If there is a mismatch, the ACEs from AdminSDHolder will be copied and enforced on the object. Inheritance from parent delegates is also disabled to keep consistency even if the object is moved to another location in the directory.
The AdminSDHolder object itself also has inheritance disabled to be protected from parent delegates and has restricted ACLs. Since AdminSDHolder is not a group object, admins can’t actually see the SD ACLs for protected groups or users in the Active Directory admin tools.
Solving AdminSDHolder-related errors
To solve Azure AD Connect synchronization errors for objects with adminCount attributes set to 1, we can apply one of three approaches:
- Remove the object(s) from Azure AD Connect’s synchronization scope
- Reset the adminCount attribute for the object(s) to not set, or 0, if the object is no longer a member of the privileged group
- Delegate the permissions to the AdminSDHolder container
The first two approaches are recommended. However, if you need to delegate the permissions to write the mS-DS-ConsistencyGUID attribute to the AdminSDHolder container, you can use the following line on the Command Prompt of the Domain Controller with the PDCe FSMO role, while signed in with an account that is a member of the Enterprise Admins group:
dsacls.exe "cn=AdminSDHolder,cn=System,dc=domain,dc=tld" /I:S /G "DOMAIN\GroupBasePermissions:WP;mS-DS-ConsistencyGUID;user"