Learn to adjust the AdminCount attribute in protected accounts

The AdminCount of accounts in Active Directory is often a misunderstood or foreign concept to many admins. If you would like to learn what it is, what use it serves and how to set it correctly, then please check out this recent article I wrote for TechTarget.

The article is a thorough analysis of all things related to AdminCount and what you need to pay attention to. All Active Directory objects have a hidden attribute called AdminCount, which is set to Null by default. Accounts considered special have the AdminCount value set to 1, which disables inheritance on the object and sets the security on the object to be governed by the AdminSDHolder object.

There are special processes that run and "watch" the AdminCount on accounts. Most people bump into AdminCount when they make permissions changes on a protected account and then see the changes reverted after an hour. If this sounds familiar to you, I invite you to read along and I'll show you where to look and how to configure your environment correctly to offer the best mix of security and convenience.

As always, I value your feedback, please share your thoughts on this topic in the comments section below. You can get to the article by clicking the link earlier in the article or by following the link below.


You've successfully subscribed to Command Line Ninja
Great! Next, complete checkout for full access to Command Line Ninja
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.
Table fo contents