expected behavior: when a user is added to the "domain admins" group (whether directly or transitively), the attribute adminCount[1] should be incremented by 1. current behavior: when a user is added to the "domain admins" group, the attribute is neither added nor incremented. It is a security feature that is used in dsacl inheritance configuration [2] [1] https://docs.microsoft.com/en-us/windows/desktop/adschema/a-admincount [2] https://blogs.technet.microsoft.com/chadcox/2018/01/08/adposh-find-and-fix-adminsdholder-orphans-admincount/
(In reply to Denis Cardon from comment #0) Dear Denis, considering AdminSDHolder changes adminCount to 1 on AD and that can be seen in ADSI edit for user object. Or SDPROP(Security Descriptor Propagation) got automatically activated after 60 minutes on the PDC emulator of the Active Directory domain and update adminCount value of every security objects by AdminSDHolder code. adminCount is set to 1. on samba adminCount to be updated on running getent or id for user?
(In reply to Amit Kumar from comment #1) G'Day Amit, Denis is raising the fact that Samba AD does not implement this Windows AD feature. This is a reasonable feature request.
here's a very good related article on this topic, German only though: https://www.msxfaq.de/konzepte/adminsdholder.htm
also various Microsoft Exchange versions seems to require AdminSDHolder functionality.