How to solve Azure AD Connect synchronization errors for objects with adminCount attributes set to 1

Reading Time: 2 minutes

Roughly a year ago, I shared how to properly delegate Directory permissions to Azure AD Connect service accounts. One of the issues you might encounter with those steps is that you privileged accounts and previously-privileged accounts might present permission-issue errors in Azure AD Connect’s Synchronization Service Manager:

Permission-Issue in Azure AD Connect's Synchronization Service Manager (click for original screenshot)

Initially, I didn’t include these accounts into the synchronization scope of Azure AD Connect, and it’s a recommended practice from Microsoft to not synchronize Tier 0 privileged accounts. However, there are a lot more user objects that suffer from this particular challenge:

  • Members of the Backup Operators group
  • Members of the Print Operators group
  • Members of the Server Operators group
  • Members of the Account Operators group

What these accounts have in common is that their security descriptors are governed by AdminSDHolder.  These accounts all have in common that their adminCount attributes are set to 1.

About AdminSDHolder

AdminSDHolder is a container that exists in all Active Directory domains, in the System container and a background process.

  • The AdminSDHolder container contains a Master Security Descriptor (SD) for the protected groups and their members in Active Directory.
  • The AdminSDHolder process runs in the background, every 60 minutes on the Domain Controller with the PDC Emulator FSMO role.

When AdminSDHolder runs, it transitively expands the list of protected groups and all its nested groups (both security and distribution groups) and compares the security descriptor for member groups and users with its own Master SD. If there is a mismatch, the ACEs from AdminSDHolder will be copied and enforced on the object. Inheritance from parent delegates is also disabled to keep consistency even if the object is moved to another location in the directory.

The AdminSDHolder object itself also has inheritance disabled to be protected from parent delegates and has restricted ACLs. Since AdminSDHolder is not a group object, admins can’t actually see the SD ACLs for protected groups or users in the Active Directory admin tools.

Solving AdminSDHolder-related errors

To solve Azure AD Connect synchronization errors for objects with adminCount attributes set to 1, we can apply one of three approaches:

  1. Remove the object(s) from Azure AD Connect’s synchronization scope
  2. Reset the adminCount attribute for the object(s) to not set, or 0, if the object is no longer a member of the privileged group
  3. Delegate the permissions to the AdminSDHolder container

Delegate permissions

The first two approaches are recommended. However, if you need to delegate the permissions to write the mS-DS-ConsistencyGUID attribute to the AdminSDHolder container, you can use the following line on the Command Prompt of the Domain Controller with the PDCe FSMO role, while signed in with an account that is a member of the Enterprise Admins group:

dsacls.exe "cn=AdminSDHolder,cn=System,dc=domain,dc=tld" /I:S /G "DOMAIN\GroupBasePermissions:WP;mS-DS-ConsistencyGUID;user"

Posted on February 16, 2021 by Sander Berkouwer in Delegation of Control, Entra Connect, Security

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.