Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

3.1.1.6.1 AdminSDHolder

References

  • Special Objects in section 6.1: Windows NT operating system

Glossary Terms: Active Directory, security principal, privileges, PDC, FSMO, SD, transitive membership, RID

LDAP attributes: nTSecurityDescriptor, groupType, objectClass, member, objectSid, dSHeuristics

LDAP classes: container, user, group

Constants

  • Access mask bits, CARs:

  • groupType bits: GROUP_TYPE_SECURITY_ENABLED

  • Constant RIDs: DOMAIN_ALIAS_RID_ADMINS, DOMAIN_ALIAS_RID_ACCOUNT_OPS, DOMAIN_ALIAS_RID_SYSTEM_OPS, DOMAIN_ALIAS_RID_PRINT_OPS, DOMAIN_ALIAS_RID_BACKUP_OPS, DOMAIN_ALIAS_RID_REPLICATOR, DOMAIN_GROUP_RID_SCHEMA_ADMINS, DOMAIN_GROUP_RID_ADMINS, DOMAIN_GROUP_RID_CONTROLLERS, DOMAIN_USER_RID_KRBTGT, DOMAIN_USER_RID_ADMIN

If a security principal object with elevated administrative privileges in Active Directory has a weak SD, Active Directory is vulnerable to straightforward attack. Therefore Active Directory protects the SDs of such objects from updates that might give them weak SDs.

Each security principal is represented as an object o in Active Directory. For every o there is an attribute o!nTSecurityDescriptor. The value is the SD that defines ownership, permissions, and audited operations for o.

Active Directory protects the SD on certain objects by periodically overwriting any changes. This mechanism loosely establishes an upper bound on the length of time that a protected object may have a weak SD.

 
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.