C:附錄受保護的帳號及 Active Directory 中的群組Appendix C: Protected Accounts and Groups in Active Directory

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

C:附錄受保護的帳號及 Active Directory 中的群組Appendix C: Protected Accounts and Groups in Active Directory

在 Active Directory 受保護的帳號和群組視為高度授權的帳號及群組預設設定。Within Active Directory, a default set of highly privileged accounts and groups are considered protected accounts and groups. 大多數在 Active Directory 物件,委派系統管理員 (使用者已委派管理 Active Directory 物件的權限) 可以變更權限的物件,包括本身變更成員資格群組,例如允許權限的變更。With most objects in Active Directory, delegated administrators (users who have been delegated permissions to manage Active Directory objects) can change permissions on the objects, including changing permissions to allow themselves to change memberships of the groups, for example.

不過的受保護的帳號,群組物件的權限的設定,並透過自動程序,以確保物件維持一致即使物件的權限移動 directory 執行。However, with protected accounts and groups, the objects' permissions are set and enforced via an automatic process that ensures the permissions on the objects remains consistent even if the objects are moved the directory. 即使某個人手動變更受保護的物件的權限,此程序可以確保權限的快速傳回設為預設值。Even if somebody manually changes a protected object's permissions, this process ensures that permissions are returned to their defaults quickly.

受保護的群組Protected Groups

下表包含可在 Active Directory 中列出的網域控制站作業系統受保護的群組。The following table contains the protected groups in Active Directory listed by domain controller operating system.

受保護的帳號和作業系統 Active Directory 中的群組Protected Accounts and Groups in Active Directory by Operating System

Windows 2000 < SP4Windows 2000 <SP4 Windows 2000 SP4 Windows Server 2003 RTMWindows 2000 SP4 - Windows Server 2003 RTM Windows Server 2003 SP1 +Windows Server 2003 SP1+ Windows Server 2012、 Windows Server 2008 R2、 Windows Server 2008Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
系統管理員Administrators Account 電信業者Account Operators Account 電信業者Account Operators Account 電信業者Account Operators
系統管理員Administrator 系統管理員Administrator 系統管理員Administrator
系統管理員Administrators 系統管理員Administrators 系統管理員Administrators
備份電信業者Backup Operators 備份電信業者Backup Operators 備份電信業者Backup Operators
憑證的發行者Cert Publishers
網域系統管理員 」Domain Admins 網域系統管理員 」Domain Admins 網域系統管理員 」Domain Admins 網域系統管理員 」Domain Admins
網域控制站Domain Controllers 網域控制站Domain Controllers 網域控制站Domain Controllers
企業系統管理員Enterprise Admins 企業系統管理員Enterprise Admins 企業系統管理員Enterprise Admins 企業系統管理員Enterprise Admins
KrbtgtKrbtgt KrbtgtKrbtgt KrbtgtKrbtgt
列印電信業者Print Operators 列印電信業者Print Operators 列印電信業者Print Operators
唯讀模式網域控制站Read-only Domain Controllers
複製者Replicator 複製者Replicator 複製者Replicator
架構系統管理員Schema Admins 架構系統管理員Schema Admins 架構系統管理員Schema Admins 架構系統管理員Schema Admins
伺服器電信業者Server Operators 伺服器電信業者Server Operators 伺服器電信業者Server Operators

AdminSDHolderAdminSDHolder

AdminSDHolder 物件的目的是提供 「 範本 」 權限的受保護的帳號及網域中的群組。The purpose of the AdminSDHolder object is to provide "template" permissions for the protected accounts and groups in the domain. AdminSDHolder 會自動建立的每個 Active Directory domain 系統容器中的物件。AdminSDHolder is automatically created as an object in the System container of every Active Directory domain. 其路徑: DATA-CN = AdminSDHolder,DATA-CN = 系統特區 = < domain_component,> 俠 = < domain_component >?。Its path is: CN=AdminSDHolder,CN=System,DC=<domain_component>,DC=<domain_component>?.

不同於在 Active Directory 網域中,這由系統管理員群組所擁有,大部分物件 AdminSDHolder 屬於網域系統管理員 」 群組。Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group. 根據預設,EAs 可以做變更任何網域的 AdminSDHolder 物件,可以網域的網域系統管理員 」 及系統管理員的群組。By default, EAs can make changes to any domain's AdminSDHolder object, as can the domain's Domain Admins and Administrators groups. 此外,雖然預設的擁有者 AdminSDHolder 網域的網域管理群組,系統管理員或企業系統管理員 」 的成員花費物件的擁有權。Additionally, although the default owner of AdminSDHolder is the domain's Domain Admins group, members of Administrators or Enterprise Admins can take ownership of the object.

SDPropSDProp

SDProp 是處理程序的網域控制站保留的網域 PDC 模擬器 (PDCE) 上執行 (預設) 每個 60 分鐘。SDProp is a process that runs every 60 minutes (by default) on the domain controller that holds the domain's PDC Emulator (PDCE). SDProp 比較網域的 AdminSDHolder 物件的權限的權限的受保護的帳號及網域中的群組。SDProp compares the permissions on the domain's AdminSDHolder object with the permissions on the protected accounts and groups in the domain. 如果任何受保護的帳號及群組的權限不符合 AdminSDHolder 物件的權限的權限的受保護的帳號和群組會重設以符合網域的 AdminSDHolder 物件。If the permissions on any of the protected accounts and groups do not match the permissions on the AdminSDHolder object, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object.

此外,權限繼承上已停用受保護的群組和帳號,這表示,即使帳號和群組移動到不同的位置在 directory,它們未繼承權限新父物件。Additionally, permissions inheritance is disabled on protected groups and accounts, which means that even if the accounts and groups are moved to different locations in the directory, they do not inherit permissions from their new parent objects. 繼承已停用 AdminSDHolder 物件,以便父物件的權限的變更並不會變更 AdminSDHolder 的權限。Inheritance is disabled on the AdminSDHolder object so that permission changes to the parent objects do not change the permissions of AdminSDHolder.

變更 SDProp 長的時間間隔Changing SDProp Interval

一般而言,您應該不需要變更的間隔的 SDProp 執行,除了測試目的。Normally, you should not need to change the interval at which SDProp runs, except for testing purposes. 如果您需要變更 SDProp 間隔 PDCE 網域中,使用 regedit 新增或修改 HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters AdminSDProtectFrequency DWORD 值。If you need to change the SDProp interval, on the PDCE for the domain, use regedit to add or modify the AdminSDProtectFrequency DWORD value in HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

值的範圍是從 60 秒 7200 (分鐘到兩個小時的時間)。The range of values is in seconds from 60 to 7200 (one minute to two hours). 若要即可反向所做的變更,delete AdminSDProtectFrequency 鍵,會導致 SDProp 還原回 60 分鐘的時間間隔。To reverse the changes, delete AdminSDProtectFrequency key, which will cause SDProp to revert back to the 60 minute interval. 您通常應該未減少此長的時間間隔 production 網域中它可以增加 LSASS 處理費用網域控制站。You generally should not reduce this interval in production domains as it can increase LSASS processing overhead on the domain controller. 增加的影響是受保護的物件網域中的數目而定。The impact of this increase is dependent on the number of protected objects in the domain.

手動執行 SDPropRunning SDProp Manually

測試 AdminSDHolder 變更的最佳方法是執行 SDProp 以手動方式,會導致工作立即執行,但不會影響排程的執行。A better approach to testing AdminSDHolder changes is to run SDProp manually, which causes the task to run immediately but does not affect scheduled execution. 手動執行 SDProp 是執行 Windows Server 2008 的網域控制站稍有不同上執行和以前是執行 Windows Server 2012 或 Windows Server 2008 R2 網域控制站在。Running SDProp manually is performed slightly differently on domain controllers running Windows Server 2008 and earlier than it is on domain controllers running Windows Server 2012 or Windows Server 2008 R2.

適用於在較舊的作業系統上手動執行 SDProp 程序中提供Microsoft 的支援文章 251343,,以下是為舊版和較新的作業系統逐步指示。Procedures for running SDProp manually on older operating systems are provided in Microsoft Support article 251343, and following are step-by-step instructions for older and newer operating systems. 不論,您必須連接到 Active Directory 中進行 rootDSE 物件,並執行進行 rootDSE 物件,以空值 DN 修改操作,作業的名稱指定為修改屬性。In either case, you must connect to the rootDSE object in Active Directory and perform a modify operation with a null DN for the rootDSE object, specifying the name of the operation as the attribute to modify. 如需進行 rootDSE 物件修改作業,請查看進行 rootDSE 修改作業MSDN 網站上。For more information about modifiable operations on the rootDSE object, see rootDSE Modify Operations on the MSDN website.

Windows Server 2008,或更早版本中手動執行 SDPropRunning SDProp Manually in Windows Server 2008 or Earlier

您可以強制 SDProp 来執行利用 Ldp.exe 或執行 LDAP 修改指令碼。You can force SDProp to run by using Ldp.exe or by running an LDAP modification script. 您已變更網域中的 AdminSDHolder 物件之後,執行 SDProp 使用 Ldp.exe,執行下列步驟:To run SDProp using Ldp.exe, perform the following steps after you have made changes to the AdminSDHolder object in a domain:

  1. 上市Ldp.exeLaunch Ldp.exe.

  2. 按一下連接上 Ldp 對話方塊中,按連接Click Connection on the Ldp dialog box, and click Connect.

    受保護的帳號,並群組

  3. 連接對話方塊中,輸入名稱的網域控制站的網域擁有角色 PDC 模擬器 (PDCE),按一下 [ [確定]In the Connect dialog box, type the name of the domain controller for the domain that holds the PDC Emulator (PDCE) role and click OK.

    受保護的帳號,並群組

  4. 確認您有連接成功,如同Dn: (進行 RootDSE)下的螢幕擷取畫面,按連接,按一下 [繫結Verify that you have connected successfully, as indicated by Dn: (RootDSE) in the following screenshot, click Connection and click Bind.

    受保護的帳號,並群組

  5. 繫結對話方塊中,輸入的認證使用者的修改進行 rootDSE 物件的權限。In the Bind dialog box, type the credentials of a user account that has permission to modify the rootDSE object. (如果您的身分登入,您可以選取繫結以目前登入的使用者。)按一下[確定](If you are logged on as that user, you can select Bind as currently logged on user.) Click OK.

    受保護的帳號,並群組

  6. 繫結作業完成之後,請按一下瀏覽],按一下 [修改After you have completed the bind operation, click Browse, and click Modify.

    受保護的帳號,並群組

  7. 修改]對話方塊中,保留DN欄位空白。In the Modify dialog box, leave the DN field blank. 編輯項目屬性欄位中,輸入FixUpInheritance,並在欄位,輸入[是]In the Edit Entry Attribute field, type FixUpInheritance, and in the Values field, type Yes. 按一下Enter以填入項目清單下的螢幕擷取畫面中所示。Click Enter to populate the Entry List as shown in the following screen shot.

    受保護的帳號,並群組

  8. 在填入修改對話方塊中,按一下 [執行,並確認 AdminSDHolder 物件您所做的變更,會出現的物件。In the populated Modify dialog box, click Run, and verify that the changes you made to the AdminSDHolder object have appeared on that object.

注意

修改允許修改的受保護的群組成員資格指定授權的帳號 AdminSDHolder 相關資訊,請查看附錄 i: 建立管理帳號 Active Directory 中的群組保護帳號,For information about modifying AdminSDHolder to allow designated unprivileged accounts to modify the membership of protected groups, see Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory.

如果您喜歡手動透過 LDIFDE 或指令碼執行 SDProp,您可以建立修改項目,如下所示:If you prefer to run SDProp manually via LDIFDE or a script, you can create a modify entry as shown here:

受保護的帳號,並群組

Windows Server 2012 或 Windows Server 2008 R2 手動執行 SDPropRunning SDProp Manually in Windows Server 2012 or Windows Server 2008 R2

您也可以強制 SDProp 来執行利用 Ldp.exe 或執行 LDAP 修改指令碼。You can also force SDProp to run by using Ldp.exe or by running an LDAP modification script. 您已變更網域中的 AdminSDHolder 物件之後,執行 SDProp 使用 Ldp.exe,執行下列步驟:To run SDProp using Ldp.exe, perform the following steps after you have made changes to the AdminSDHolder object in a domain:

  1. 上市Ldp.exeLaunch Ldp.exe.

  2. Ldp對話方塊中,按一下 [連接,並按連接In the Ldp dialog box, click Connection, and click Connect.

    受保護的帳號,並群組

  3. 連接對話方塊中,輸入名稱的網域控制站的網域擁有角色 PDC 模擬器 (PDCE),按一下 [ [確定]In the Connect dialog box, type the name of the domain controller for the domain that holds the PDC Emulator (PDCE) role and click OK.

    受保護的帳號,並群組

  4. 確認您有連接成功,如同Dn: (進行 RootDSE)下的螢幕擷取畫面,按連接,按一下 [繫結Verify that you have connected successfully, as indicated by Dn: (RootDSE) in the following screenshot, click Connection and click Bind.

    受保護的帳號,並群組

  5. 繫結對話方塊中,輸入的認證使用者的修改進行 rootDSE 物件的權限。In the Bind dialog box, type the credentials of a user account that has permission to modify the rootDSE object. (如果您的身分登入,您可以選取如目前登入的使用者繫結。)按一下[確定](If you are logged on as that user, you can select Bind as currently logged on user.) Click OK.

    受保護的帳號,並群組

  6. 繫結作業完成之後,請按一下瀏覽],按一下 [修改After you have completed the bind operation, click Browse, and click Modify.

    受保護的帳號,並群組

  7. 修改]對話方塊中,保留DN欄位空白。In the Modify dialog box, leave the DN field blank. 編輯項目屬性欄位中,輸入RunProtectAdminGroupsTask,並在欄位,輸入1In the Edit Entry Attribute field, type RunProtectAdminGroupsTask, and in the Values field, type 1. 按一下Enter來填入項目清單,如此處所示。Click Enter to populate the entry list as shown here.

    受保護的帳號,並群組

  8. 填入在修改對話方塊中,按一下 [執行,並確認該物件,會出現 AdminSDHolder 物件您所做的變更。In the populated Modify dialog box, click Run, and verify that the changes you made to the AdminSDHolder object have appeared on that object.

如果您喜歡手動透過 LDIFDE 或指令碼執行 SDProp,您可以建立修改項目,如下所示:If you prefer to run SDProp manually via LDIFDE or a script, you can create a modify entry as shown here:

受保護的帳號,並群組