Overriding AdminSDHolder and the FIM AD account

There is this process in AD called the AdminSDHolder which protects accounts that are members of privileged groups. There is a template object in the System folder in AD, when the process runs (every 60 minutes) it looks at the security page on the template object and mirrors that on these protected users. By default the Account Operators groups is not in the security page of the template object and FIM AD account is a member of the Account Operators group. So I find the FIM account fails to make changes on Admin accounts and service accounts and other such accounts. There are about 150 of them but they keep coming up here and there. Here is the solution

Go to the template object and add the FIM AD account with full control. When the process runs, it will add the FIM AD account to all these protected objects. One should make this standard practice for all FIM AD deployments.

Another alternative is do not put the FIM AD account in a Domain privileged group like Account Operators rather use delegation and give the FIM AD account specific delegated rights to OUs.

I would recommend doing both.

Advertisements

3 thoughts on “Overriding AdminSDHolder and the FIM AD account

  1. Pingback: Add a new Forest to the existing AD Connect | tlktechidentitythoughts

  2. Pingback: Install new Azure AD Connector | tlktechidentitythoughts

  3. Pingback: AD Connect: Password Sync failure and permission errors on write back | tlktechidentitythoughts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s