Active Directory user accounts keep losing inheritable permissions?

Do you have Active Directory accounts and use a password reset management tool like Thycotic’s Password Reset and out of the blue some accounts just stop being able to be managed?  We did and I stumbled across the solution while trying to resolve something else.  We were using another tool to discover “sensitive” accounts for targeting for other security changes and found this was returning accounts that were clearly not in any sensitive account groups.

Get-ADUser -Filter {AdminCount -eq 1} | Select-Object DistinguishedName

Well what exactly is AdminCount?

https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-admincount

AdminCount: Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups.

Further reading and comments on forums I found that if an account was ever in a domain administrative group the AdminCount is set to 1 in the attributes of the account.  Even after an account is removed from one of these groups the AdminCount is not set back to 0 but left at 1.  You can try setting it to 0 but if the account is still in one of those groups it’ll be reset back to 1 by the PDC every hour.

I then stumbled on a comment in a forum stating if an account has AdminCount = 1 then AD stops it from inheriting permissions.  Wait what, I have that issue too!  It clicked then that the accounts that we continued to have issues with the password reset tool were these same accounts.  In the past for whatever reason they had been in a privileged account group and no longer belonged to it and this AdminCount was still set to 1.  I edited these accounts in the Active Directory Users and Computers mmc on the Attribute Editor tab and just set the value to 0.  As I mentioned above the account will return to this being set to 1 if it is still in privileged account groups.  I then went to the Security tab and Advanced and ensured the Include inheritable permissions from this object’s parent was checked.  Now these accounts no longer have issues with the password reset tools!

Comments or questions?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.