附录 C:Active Directory 中受保护的帐户和组Appendix C: Protected Accounts and Groups in Active Directory

适用于:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

附录 C:Active Directory 中受保护的帐户和组Appendix C: Protected Accounts and Groups in Active Directory

在 Active Directory 中,会将一组高度特权的帐户和组视为受保护的帐户和组。Within Active Directory, a default set of highly privileged accounts and groups are considered protected accounts and groups. 使用 Active Directory 中的大多数对象时,委派的管理员 (已委派管理 Active Directory 对象的权限的用户) 可以更改对象的权限,包括更改权限以允许自身更改组的成员身份,例如。With most objects in Active Directory, delegated administrators (users who have been delegated permissions to manage Active Directory objects) can change permissions on the objects, including changing permissions to allow themselves to change memberships of the groups, for example.

但是,对于受保护的帐户和组,通过自动过程设置和强制实施对象的权限,从而确保对象的权限保持一致,即使对象已移动到目录也是如此。However, with protected accounts and groups, the objects' permissions are set and enforced via an automatic process that ensures the permissions on the objects remains consistent even if the objects are moved the directory. 即使有人手动更改了某个受保护对象的权限,此过程也可以确保将权限快速返回到默认值。Even if somebody manually changes a protected object's permissions, this process ensures that permissions are returned to their defaults quickly.

受保护组Protected Groups

下表包含域控制器操作系统列出的 Active Directory 中的受保护组。The following table contains the protected groups in Active Directory listed by domain controller operating system.

操作系统 Active Directory 中的受保护帐户和组Protected Accounts and Groups in Active Directory by Operating System

Windows Server 2003 RTMWindows Server 2003 RTM Windows Server 2003 SP1 +Windows Server 2003 SP1+ Windows Server 2012、Windows Server 2012,
Windows Server 2008 R2Windows Server 2008 R2,
Windows Server 2008Windows Server 2008
Windows Server 2016Windows Server 2016
Account OperatorsAccount Operators Account OperatorsAccount Operators Account OperatorsAccount Operators Account OperatorsAccount Operators
管理员Administrator 管理员Administrator 管理员Administrator 管理员Administrator
管理员Administrators 管理员Administrators 管理员Administrators 管理员Administrators
备份操作员Backup Operators 备份操作员Backup Operators 备份操作员Backup Operators 备份操作员Backup Operators
Cert PublishersCert Publishers
域管理员Domain Admins 域管理员Domain Admins 域管理员Domain Admins 域管理员Domain Admins
域控制器Domain Controllers 域控制器Domain Controllers 域控制器Domain Controllers 域控制器Domain Controllers
企业管理员Enterprise Admins 企业管理员Enterprise Admins 企业管理员Enterprise Admins 企业管理员Enterprise Admins
KrbtgtKrbtgt KrbtgtKrbtgt KrbtgtKrbtgt KrbtgtKrbtgt
打印操作员Print Operators 打印操作员Print Operators 打印操作员Print Operators 打印操作员Print Operators
只读域控制器Read-only Domain Controllers 只读域控制器Read-only Domain Controllers
复制程序Replicator 复制程序Replicator 复制程序Replicator 复制程序Replicator
Schema AdminsSchema Admins Schema AdminsSchema Admins Schema AdminsSchema Admins Schema AdminsSchema Admins
Server OperatorsServer Operators Server OperatorsServer Operators Server OperatorsServer Operators Server OperatorsServer Operators

AdminSDHolderAdminSDHolder

AdminSDHolder 对象的目的是为域中的受保护帐户和组提供 "模板" 权限。The purpose of the AdminSDHolder object is to provide "template" permissions for the protected accounts and groups in the domain. AdminSDHolder 在每个 Active Directory 域的系统容器中自动创建为对象。AdminSDHolder is automatically created as an object in the System container of every Active Directory domain. 其路径为: CN = AdminSDHolder,cn = System,DC =<domain_component>,dc =<domain_component>?。Its path is: CN=AdminSDHolder,CN=System,DC=<domain_component>,DC=<domain_component>?.

与管理员组拥有的 Active Directory 域中的大多数对象不同,AdminSDHolder 由域管理员组拥有。Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group. 默认情况下,EAs 可以更改任何域的 AdminSDHolder 对象,这与域的 Domain Admins 和 Administrators 组相同。By default, EAs can make changes to any domain's AdminSDHolder object, as can the domain's Domain Admins and Administrators groups. 此外,尽管 AdminSDHolder 的默认所有者是域的 Domain Admins 组,但 Administrators 或 Enterprise Admins 的成员可以获得对象的所有权。Additionally, although the default owner of AdminSDHolder is the domain's Domain Admins group, members of Administrators or Enterprise Admins can take ownership of the object.

SDPropSDProp

SDProp 是默认情况下每 60 (分钟运行一次的进程,) 域控制器上保存域的 PDC 仿真器 (PDCE) 。SDProp is a process that runs every 60 minutes (by default) on the domain controller that holds the domain's PDC Emulator (PDCE). SDProp 将域的 AdminSDHolder 对象上的权限与域中的受保护帐户和组的权限进行比较。SDProp compares the permissions on the domain's AdminSDHolder object with the permissions on the protected accounts and groups in the domain. 如果对任何受保护的帐户和组的权限与 AdminSDHolder 对象上的权限不匹配,则会重置受保护帐户和组的权限,使其与域的 AdminSDHolder 对象的权限相匹配。If the permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object.

此外,在受保护的组和帐户上禁用权限继承,这意味着,即使将帐户和组移到目录中的不同位置,它们也不会继承其新父对象的权限。Additionally, permissions inheritance is disabled on protected groups and accounts, which means that even if the accounts and groups are moved to different locations in the directory, they do not inherit permissions from their new parent objects. 对 AdminSDHolder 对象禁用了继承,因此对父对象的权限更改不会更改 AdminSDHolder 的权限。Inheritance is disabled on the AdminSDHolder object so that permission changes to the parent objects do not change the permissions of AdminSDHolder.

更改 SDProp 间隔Changing SDProp Interval

通常,不需要更改 SDProp 运行的时间间隔,因为测试目的除外。Normally, you should not need to change the interval at which SDProp runs, except for testing purposes. 如果需要更改域的 PDCE 上的 SDProp 间隔,请使用 regedit 在 Hklm\system\currentcontrolset\services\ntds\parameters 中添加或修改 AdminSDProtectFrequency DWORD 值If you need to change the SDProp interval, on the PDCE for the domain, use regedit to add or modify the AdminSDProtectFrequency DWORD value in HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

值的范围以秒为单位,从60到 7200 (一分钟到2小时) 。The range of values is in seconds from 60 to 7200 (one minute to two hours). 若要撤消更改,请删除 AdminSDProtectFrequency 项,这将导致 SDProp 恢复到60分钟间隔。To reverse the changes, delete AdminSDProtectFrequency key, which will cause SDProp to revert back to the 60 minute interval. 通常不应在生产域中减少此时间间隔,因为这会增加域控制器上的 LSASS 处理开销。You generally should not reduce this interval in production domains as it can increase LSASS processing overhead on the domain controller. 这一增加的影响取决于域中受保护对象的数量。The impact of this increase is dependent on the number of protected objects in the domain.

手动运行 SDPropRunning SDProp Manually

测试 AdminSDHolder 更改的更好方法是手动运行 SDProp,这会导致任务立即运行,但不会影响计划的执行。A better approach to testing AdminSDHolder changes is to run SDProp manually, which causes the task to run immediately but does not affect scheduled execution. 对于运行 Windows Server 2008 和更早版本的域控制器,在运行 Windows Server 2012 或 Windows Server 2008 R2 的域控制器上,手动运行 SDProp 的执行方式略有不同。Running SDProp manually is performed slightly differently on domain controllers running Windows Server 2008 and earlier than it is on domain controllers running Windows Server 2012 or Windows Server 2008 R2.

Microsoft 支持部门文章 251343中提供了在较早版本的操作系统上手动运行 SDProp 的过程,以下是针对较旧和较新操作系统的分步说明。Procedures for running SDProp manually on older operating systems are provided in Microsoft Support article 251343, and following are step-by-step instructions for older and newer operating systems. 在任一情况下,都必须连接到 Active Directory 中的 rootDSE 对象,并使用 rootDSE 对象的 null DN 执行修改操作,并将操作的名称指定为要修改的属性。In either case, you must connect to the rootDSE object in Active Directory and perform a modify operation with a null DN for the rootDSE object, specifying the name of the operation as the attribute to modify. 有关 rootDSE 对象上的可修改操作的详细信息,请参阅 MSDN 网站上的 RootDSE 修改操作For more information about modifiable operations on the rootDSE object, see rootDSE Modify Operations on the MSDN website.

在 Windows Server 2008 或更早版本中手动运行 SDPropRunning SDProp Manually in Windows Server 2008 or Earlier

您可以使用 Ldp.exe 或通过运行 LDAP 修改脚本强制 SDProp 运行。You can force SDProp to run by using Ldp.exe or by running an LDAP modification script. 若要使用 Ldp.exe 运行 SDProp,请在更改域中的 AdminSDHolder 对象之后执行以下步骤:To run SDProp using Ldp.exe, perform the following steps after you have made changes to the AdminSDHolder object in a domain:

  1. 启动 Ldp.exeLaunch Ldp.exe.

  2. 单击 "Ldp" 对话框上的 " 连接 ",然后单击 " 连接"。Click Connection on the Ldp dialog box, and click Connect.

    受保护的帐户和组

  3. 在 " 连接 " 对话框中,键入持有 PDC 模拟器 (PDCE) 角色的域的域控制器的名称,然后单击 "确定"In the Connect dialog box, type the name of the domain controller for the domain that holds the PDC Emulator (PDCE) role and click OK.

    受保护的帐户和组

  4. 验证是否已成功连接,如以下屏幕截图中的 **Dn: (RootDSE) ** 所示,单击 " 连接 ",然后单击 " 绑定"。Verify that you have connected successfully, as indicated by Dn: (RootDSE) in the following screenshot, click Connection and click Bind.

    受保护的帐户和组

  5. 在 " 绑定 " 对话框中,键入有权修改 rootDSE 对象的用户帐户的凭据。In the Bind dialog box, type the credentials of a user account that has permission to modify the rootDSE object. (如果以该用户身份登录,则可以选择 "作为当前已登录用户 绑定 "。 ) 单击 "确定"(If you are logged on as that user, you can select Bind as currently logged on user.) Click OK.

    受保护的帐户和组

  6. 完成绑定操作后,单击 " 浏览",然后单击 " 修改"。After you have completed the bind operation, click Browse, and click Modify.

    受保护的帐户和组

  7. 在 " 修改 " 对话框中,将 DN 字段留空。In the Modify dialog box, leave the DN field blank. 在 " 编辑条目属性 " 字段中,键入 FixUpInheritance,然后在 " " 字段中键入 YesIn the Edit Entry Attribute field, type FixUpInheritance, and in the Values field, type Yes. 单击 Enter 填充 条目列表 ,如以下屏幕截图所示。Click Enter to populate the Entry List as shown in the following screen shot.

    受保护的帐户和组

  8. 在 "填充的修改" 对话框中,单击 "运行",然后验证对 AdminSDHolder 对象所做的更改是否已出现在该对象上。In the populated Modify dialog box, click Run, and verify that the changes you made to the AdminSDHolder object have appeared on that object.

备注

有关修改 AdminSDHolder 以允许指定的无特权帐户修改受保护组的成员身份的信息,请参阅 附录 I:在 Active Directory 中创建受保护帐户和组的管理帐户For information about modifying AdminSDHolder to allow designated unprivileged accounts to modify the membership of protected groups, see Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory.

如果希望通过 LDIFDE 或脚本手动运行 SDProp,可以按如下所示创建修改项:If you prefer to run SDProp manually via LDIFDE or a script, you can create a modify entry as shown here:

受保护的帐户和组

在 Windows Server 2012 或 Windows Server 2008 R2 中手动运行 SDPropRunning SDProp Manually in Windows Server 2012 or Windows Server 2008 R2

还可以通过使用 Ldp.exe 或运行 LDAP 修改脚本来强制 SDProp 运行。You can also force SDProp to run by using Ldp.exe or by running an LDAP modification script. 若要使用 Ldp.exe 运行 SDProp,请在更改域中的 AdminSDHolder 对象之后执行以下步骤:To run SDProp using Ldp.exe, perform the following steps after you have made changes to the AdminSDHolder object in a domain:

  1. 启动 Ldp.exeLaunch Ldp.exe.

  2. 在 " Ldp " 对话框中,单击 " 连接",然后单击 " 连接"。In the Ldp dialog box, click Connection, and click Connect.

    受保护的帐户和组

  3. 在 " 连接 " 对话框中,键入持有 PDC 模拟器 (PDCE) 角色的域的域控制器的名称,然后单击 "确定"In the Connect dialog box, type the name of the domain controller for the domain that holds the PDC Emulator (PDCE) role and click OK.

    受保护的帐户和组

  4. 验证是否已成功连接,如以下屏幕截图中的 **Dn: (RootDSE) ** 所示,单击 " 连接 ",然后单击 " 绑定"。Verify that you have connected successfully, as indicated by Dn: (RootDSE) in the following screenshot, click Connection and click Bind.

    受保护的帐户和组

  5. 在 " 绑定 " 对话框中,键入有权修改 rootDSE 对象的用户帐户的凭据。In the Bind dialog box, type the credentials of a user account that has permission to modify the rootDSE object. (如果以该用户身份登录,则可以选择 " 作为当前已登录用户绑定"。 ) 单击 "确定"(If you are logged on as that user, you can select Bind as currently logged on user.) Click OK.

    受保护的帐户和组

  6. 完成绑定操作后,单击 " 浏览",然后单击 " 修改"。After you have completed the bind operation, click Browse, and click Modify.

    受保护的帐户和组

  7. 在 " 修改 " 对话框中,将 DN 字段留空。In the Modify dialog box, leave the DN field blank. 在 " 编辑项属性 " 字段中,键入 RunProtectAdminGroupsTask,然后在 " " 字段中键入 1In the Edit Entry Attribute field, type RunProtectAdminGroupsTask, and in the Values field, type 1. 单击 " Enter " 以填充条目列表,如下所示。Click Enter to populate the entry list as shown here.

    受保护的帐户和组

  8. 在 "填充的 修改 " 对话框中,单击 " 运行",然后验证对 AdminSDHolder 对象所做的更改是否已出现在该对象上。In the populated Modify dialog box, click Run, and verify that the changes you made to the AdminSDHolder object have appeared on that object.

如果希望通过 LDIFDE 或脚本手动运行 SDProp,可以按如下所示创建修改项:If you prefer to run SDProp manually via LDIFDE or a script, you can create a modify entry as shown here:

受保护的帐户和组