Discover and Clear Admin Count Attribute with PowerShell
What is Admin Count?
Before we discuss Admin Count, a little background is needed. AD contains an object called AdminSDHolder. Its purpose is to protect objects. Specifically, objects which are members of administrative groups.
AD objects have an attribute called “Admin Count”. The default value is
By adding a user to an administrative AD group. You change the value to “1”. As a result, the user object is subject to stricter ACLs. Such as, disabled permission inheritance. Furthermore, many admins are not aware of this.
Prevention is the best medicine, or so they say. If you are unaware of these conditions and attributes. Please read this article.
Finding Affected Accounts
We have noticed that accounts cannot be managed by the Help Desk. We discover that Admin Count is “1”. As a result, we need to find all affected accounts.
Below is a script which will change for user objects affected. First of all, this script will not make changes. This is has been separated by design.
Correcting the Problem
In order to correct the problem, we run another script. This script is very close to the first. The reason for two scripts is change control. Our first script doesn’t contain functionality to make changes. As a result, we lower the chance of mistake.
As you will see, the second script is similar to the first in a number of ways. You run this from a computer joined to the affected domain. Therefore, if you’re an external party this is to be run on a client side system.
If you do not correct the root cause, Admin Count and security permissions will revert within the hour. You must remove accounts from the administrative group.