{"id":961,"date":"2014-04-01T00:00:03","date_gmt":"2014-03-31T22:00:03","guid":{"rendered":"http:\/\/marwin.e-blog.cz\/?p=961"},"modified":"2017-06-20T19:09:02","modified_gmt":"2017-06-20T17:09:02","slug":"adminsdholder-co-to-je-a-jak-funguje","status":"publish","type":"post","link":"https:\/\/svobodma.cz\/?p=961","title":{"rendered":"AdminSDHolder &#8211; Co to je a k \u010demu ?"},"content":{"rendered":"<p>Toto je opravdu stru\u010dn\u00fd \u010dl\u00e1nek o tom co je a k \u010demu slou\u017e\u00ed objekt v ActiveDirectory &#8222;<strong>AdminSDHolder<\/strong>&#8222;<em><strong> (objekt v security\/Advanced\u00a0\u00a0 nem\u00e1 povolen\u00e9 d\u011bd\u011bn\u00ed by default !)<\/strong><\/em><\/p>\n<p>AdminSDHolder je objekt, kter\u00fd najdete v Active Directory Users and Computers (ADUC) konzoli po povolen\u00ed &#8222;Advanced Features&#8220; ve view &#8222;zobrazit&#8220;, ale p\u0159edpokl\u00e1d\u00e1m, \u017ee moc z v\u00e1s \u010deskou lokalizaci serveru nem\u00e1 &#8230;.<\/p>\n<p>AdminSDHolder m\u00e1 na starost chr\u00e1nit tzv. &#8222;protected groups&#8220; p\u0159ed zm\u011bnou v ACL. Na starost ho m\u00e1 FSMO PDC. Jestli\u017ee n\u011bkdo zm\u011bn\u00ed na jmenovan\u00e9 skupin\u011b opr\u00e1vn\u011bn\u00ed, p\u0159id\u00e1 t\u0159eba domain user-ovi pr\u00e1vo <strong>modify na Domain Admins<\/strong> skupinu, b\u011bhem n\u00e1sleduj\u00edc\u00ed hodiny se toto opr\u00e1vn\u011bn\u00ed odstran\u00ed. Ka\u017edou hodinu se toti\u017e\u00a0by default kontoluje stav ACL a jestli\u017ee nesed\u00ed dle v\u00fdchoz\u00edho stavu, syst\u00e9m (PDC) ACL\u00a0vr\u00e1t\u00ed do p\u016fvodn\u00edho stavu. V\u0161echny objekty (user, groups), kter\u00e9 jsou a nebo byly \u010dleny t\u011bchto skupin, maj\u00ed hodnotu atributu <strong>AdminCount=1 (odstra\u0148uje d\u011bd\u011bn\u00ed na t\u011bchto objektech), <\/strong>tato hodnota s u\u017e sama od sebe nikdy nevr\u00e1t\u00ed zp\u011bt. Toto m\u00e1 v\u0161ak za n\u00e1sledek, \u017ee se p\u0159i zapnut\u00ed d\u011bd\u011bn\u00ed na objektu s hodnotou atributu AdminCount=1, nebudou spr\u00e1vn\u011b d\u011bdit pr\u00e1va z\u00a0nad\u0159azen\u00fdch objekt\u016f. AdminCount m\u016f\u017eete nastavit na &lt;<strong>not set&gt;<\/strong>\u00a0p\u0159es ADSIEDIT n\u00e1stroj, nebo\u00a0 n\u00e1stroj\u00a0ADUC\u00a0 p\u0159es <strong>tab Attribute Editor.<\/strong><\/p>\n<table border=\"0\" width=\"536\" cellspacing=\"0\" cellpadding=\"0\">\n<colgroup>\n<col span=\"4\" width=\"134\" \/><\/colgroup>\n<tbody>\n<tr>\n<td width=\"134\" height=\"32\"><span style=\"font-size: small;\"><span style=\"color: #333333;\"><span style=\"font-family: Times New Roman;\"><strong>Windows 2000 Server RTM<\/strong>\u00a0<\/span><\/span><\/span><\/td>\n<td width=\"134\"><span style=\"font-size: small;\"><span style=\"color: #333333;\"><span style=\"font-family: Times New Roman;\"><strong>Windows 2000 Server with SP4<\/strong>\u00a0<\/span><\/span><\/span><\/td>\n<td width=\"134\"><span style=\"font-size: small;\"><span style=\"color: #333333;\"><span style=\"font-family: Times New Roman;\"><strong>Windows Server 2003 with SP1<\/strong>\u00a0,<strong>SP2<\/strong><\/span><\/span><\/span><\/td>\n<td width=\"134\"><strong><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Windows Server 2008,R2, Windows Server 2012, R2<\/span><\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Account Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Account Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Account Operators<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrator<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrator<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrator<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Enterprise Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Administrators<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Schema Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Backup Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Backup Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Backup Operators<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Cert Publishers<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Admins<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Controllers<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Controllers<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Domain Controllers<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Enterprise Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Enterprise Admins<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Enterprise Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Krbtgt<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Krbtgt<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Krbtgt<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Print Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Print Operators<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"32\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Print Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Replicator<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Read-only Domain Controllers<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Replicator<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Schema Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Replicator<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"20\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Schema Admins<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Server Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Schema Admins<\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"134\" height=\"21\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Server Operators<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">\u00a0<\/span><\/td>\n<td width=\"134\"><span style=\"color: #333333; font-family: Times New Roman; font-size: small;\">Server Operators<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Mal\u00e1 uk\u00e1zka: (opravdu jsem opr\u00e1vn\u011bn\u00ed <strong>send as<\/strong>, neodstranil ru\u010dn\u011b :)) &#8211; Uk\u00e1zka, jak m\u016f\u017ee\u00a0nastat probl\u00e9m, jestli\u017ee pou\u017e\u00edv\u00e1te domain admin \u00fa\u010det\u00a0s mailboxem v MS Exchange a budete cht\u00edt n\u011bkomu dovolit pos\u00edlat za admina email (opr\u00e1vn\u011bn\u00ed <strong>send as<\/strong>)<\/p>\n<p><a href=\"http:\/\/marwin.e-blog.cz\/?attachment_id=965\" rel=\"attachment wp-att-965\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-965\" src=\"http:\/\/marwin.e-blog.cz\/marwin.e-blog.cz\/httpdocs\/wp-content\/uploads\/adminSDholders_demo11.png\" alt=\"adminSDholders_demo1\" width=\"783\" height=\"533\" \/><\/a><\/p>\n<p>Toto je mimochodem zp\u016fsob, jak kontrolu ACL, kter\u00e1 je default jednou za hodinu, urychlit (v m\u00e9m p\u0159\u00edpad\u011b se ale stejn\u011b kontrola ACL projevila o n\u011bco pozd\u011bji, ne\u017e po akci viz.n\u00ed\u017ee )<\/p>\n<p>Pou\u017eit n\u00e1stroj <strong>ldp.exe<\/strong><\/p>\n<p><a href=\"http:\/\/marwin.e-blog.cz\/?attachment_id=963\" rel=\"attachment wp-att-963\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-963\" src=\"http:\/\/marwin.e-blog.cz\/marwin.e-blog.cz\/httpdocs\/wp-content\/uploads\/adminSDholders_demo2.png\" alt=\"adminSDholders_demo2\" width=\"860\" height=\"405\" \/><\/a><\/p>\n<p>Tady u\u017e vid\u00edme, \u017ee u\u017eivatel user1 nen\u00ed v seznamu uveden.<\/p>\n<p><a href=\"http:\/\/marwin.e-blog.cz\/?attachment_id=966\" rel=\"attachment wp-att-966\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-966\" src=\"http:\/\/marwin.e-blog.cz\/marwin.e-blog.cz\/httpdocs\/wp-content\/uploads\/adminSDholders_demo3latter1.png\" alt=\"adminSDholders_demo3latter\" width=\"783\" height=\"529\" \/><\/a><\/p>\n<p>V\u00edce informac\u00ed najdete zde:\u00a0https:\/\/technet.microsoft.com\/cs-cz\/magazine\/2009.09.sdadminholder(en-us).aspx<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Toto je opravdu stru\u010dn\u00fd \u010dl\u00e1nek o tom co je a k \u010demu slou\u017e\u00ed objekt v ActiveDirectory &#8222;AdminSDHolder&#8222; (objekt v security\/Advanced\u00a0\u00a0 nem\u00e1 povolen\u00e9 d\u011bd\u011bn\u00ed by default !) AdminSDHolder je objekt, kter\u00fd najdete v Active Directory Users and Computers (ADUC) konzoli po &hellip; <a href=\"https:\/\/svobodma.cz\/?p=961\">Cel\u00fd p\u0159\u00edsp\u011bvek <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-961","post","type-post","status-publish","format-standard","hentry","category-activedirectory"],"_links":{"self":[{"href":"https:\/\/svobodma.cz\/index.php?rest_route=\/wp\/v2\/posts\/961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/svobodma.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/svobodma.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/svobodma.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/svobodma.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=961"}],"version-history":[{"count":12,"href":"https:\/\/svobodma.cz\/index.php?rest_route=\/wp\/v2\/posts\/961\/revisions"}],"predecessor-version":[{"id":1277,"href":"https:\/\/svobodma.cz\/index.php?rest_route=\/wp\/v2\/posts\/961\/revisions\/1277"}],"wp:attachment":[{"href":"https:\/\/svobodma.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/svobodma.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/svobodma.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}