This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 18%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Hi everyone. Hope I am asking in the right place.
I have Exchange 2019 on a 2012R2 domain. I was experiencing issues connecting remotely to Exchange. According to multiple articles, the solution was to enable permissions inheritance on the AD user account (ADUC -> Open user -> Security -> Advanced -> Enable Inheritance).
This works fine, but it appears that this setting is being reverted regularly and frequently. As in every few hours.
Something in Active Directory really doesn't like permissions inheritance, but it appears to be required for Exchange to run.
Thanks in advance for any thoughts.
.jp.
Hi there!
What you are seeing is expected if your account is a member of any elevated groups. The recommendation is to not add any mailbox enabled account to an elevated group and permission inheritance wont be disabled.
https://petri.com/active-directory-security-understanding-adminsdholder-object
Thanks guys. This is exactly the issue. The user in question is a Domain Admin, and needs that privilege.
My next move will be a discussion between the user and other stakeholders. Probably demote this user and give him another for Domain Admin work.
Thanks again.
.jp.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
Agree with Andy David, we could kindly have a check whether this user account is protected user, which is a member of the protected group.
For the users and groups that are members of the protected groups:
• Security inheritance is disabled
• The ACL on the user/group is replaced with the ACL from the AdminSDHolder object in the System container in AD (a smaller, much more restrictive ACL)
• The adminCount attribute on the user/group is set to 1.
For example:
AdminSDHolder permissions apply to security principals that belong to protected groups. The Security Descriptor Propagation (SDPROP) process runs every hour on the domain controller holding the PDC emulator FSMO role. It is this process that sets the adminCount attribute to 1. The main function of SDPROP is to protect highly-privileged Active Directory accounts, ensuring that they can’t be deleted or have rights modified, accidentally or intentionally, by users or processes with less privilege.
If we reenable inheritance on the affected users and clear the adminCount attribute and the group membership that triggered those items being changed in the first place is still there, then SDPROP will revert our changes within the hour. So before cleaning up the permissions on these accounts, we need to ensure they are not affected by AdminSDHolder.
Here we would like to share more information with you:
https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN
For any question, please feel free to contact us.
Best regards,
Hannah Xiong