Score:3

How to add missing property to AdminSDHolder

ng flag

I am trying to delegate permissions for a service account to modify a single extended property on active directory user accounts. The property is msDS_CloudExtensionAttribute1.

Our AD user objects have this property, and so it is easy to delegate the proper permissions at the OU level. However, protected user accounts (such as domain admins) keep having their permissions reset by the SDPropagator task.

To fix this, I need to correct the permissions that are applied to protected accounts by modifying the AdminSDHolder object in active directory. This object does not have the msDS_CloudExtensionAttribute1 property. Therefore, I have been unable to provide write permissions to this property on this object.

How do I add the missing property to this specific AD object, so I can set permissions on it, and it can be copied to protected user accounts?

Score:3
ng flag

In order to do this I had to use the Active Directory Schema MMC.

Once open, navigate in to Classes and then right-click container. Choose, properties.

Under the Attributes tab, Add the missing attribute/property and apply.

Close and re-open Active Directory Users and Computers, and the AdminSDHolder object will now have the new attribute. After this, I was able to delegate permissions to write this property then allow the SD Propagator task to update all protected accounts to solve my issue.

After applying the schema change, MMC gave me an error and crashed. But, the new attribute was present as expected when I went back in to the schema MMC.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.