Overriding AdminSDHolder and the FIM AD account

There is this process in AD called the AdminSDHolder which protects accounts that are members of privileged groups. There is a template object in the System folder in AD, when the process runs (every 60 minutes) it looks at the security page on the template object and mirrors that on these protected users. By default the Account Operators groups is not in the security page of the template object and FIM AD account is a member of the Account Operators group. So I find the FIM account fails to make changes on Admin accounts and service accounts and other such accounts. There are about 150 of them but they keep coming up here and there. Here is the solution

Go to the template object (System\AdminSDHolder folder) and add the FIM AD account with full control or delegate specific rights to the account. When the process runs, it will add the FIM AD account to all these protected objects. One should make this standard practice for all FIM AD deployments.

3 thoughts on “Overriding AdminSDHolder and the FIM AD account

  1. Pingback: Add a new Forest to the existing AD Connect | tlktechidentitythoughts

  2. Pingback: Install new Azure AD Connector | tlktechidentitythoughts

  3. Pingback: AD Connect: Password Sync failure and permission errors on write back | tlktechidentitythoughts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s