Bug 13954 - adminCount is not incremented when a user is member of "Domain Admins" group
Summary: adminCount is not incremented when a user is member of "Domain Admins" group
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Keywords: exchange
Depends on:
Reported: 2019-05-16 21:26 UTC by Denis Cardon
Modified: 2021-02-26 11:17 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Denis Cardon 2019-05-16 21:26:28 UTC
expected behavior:
when a user is added to the "domain admins" group (whether directly or transitively), the attribute adminCount[1] should be incremented by 1.

current behavior:
when a user is added to the "domain admins" group, the attribute is neither added nor incremented.

It is a security feature that is used in dsacl inheritance configuration [2]

[1] https://docs.microsoft.com/en-us/windows/desktop/adschema/a-admincount
[2] https://blogs.technet.microsoft.com/chadcox/2018/01/08/adposh-find-and-fix-adminsdholder-orphans-admincount/
Comment 1 Amit Kumar 2019-05-31 10:25:28 UTC
(In reply to Denis Cardon from comment #0)
Dear Denis,
considering AdminSDHolder changes adminCount to 1 on AD and that can be seen in ADSI edit for user object.

Or SDPROP(Security Descriptor Propagation) got automatically activated after 60 minutes on the PDC emulator of the Active Directory domain and update adminCount value of every security objects by AdminSDHolder code. adminCount is set to 1.

on samba adminCount to be updated on running getent or id for user?
Comment 2 Andrew Bartlett 2019-06-11 09:50:20 UTC
(In reply to Amit Kumar from comment #1)
G'Day Amit,

Denis is raising the fact that Samba AD does not implement this Windows AD feature. 

This is a reasonable feature request.
Comment 3 Björn Jacke 2020-10-02 23:24:12 UTC
here's a very good related article on this topic, German only though:
Comment 4 Björn Jacke 2020-10-08 20:59:08 UTC
also various Microsoft Exchange versions seems to require AdminSDHolder functionality.