Aug 20 2021 10:47 AM
Hi everyone, We are trying to clean up the security ACLs on a few privileged groups. My biggest issue right now is when I select disable inheritance and remove all of the groups/users off the main group, after a little bit the users/groups will show back up under the security tab. I'm assuming SDPROP is causing it. I'm testing on one group of changing the admincount to 0 from 1 and removing a user off the security tab to see if it gets added back or not. Anyone had this issue before?
Thanks!
Nov 10 2021 12:50 AM
I'm going to wager the author's moved on, but I'll answer this anyway.
Note: I ordinarily recommend you do not change the ACL on AdminSDHolder.
If you do change the ACL, you don't get to choose which subset of groups and accounts it is applied to. Everything protected by the SDProp process will receive the same ACL which may lead to other unexpected outcomes.
SDProp sets adminCount to 1 when an object is added to a protected group, however, it is not subsequently reset to 0 if the object is subsequently removed. Hence, why I say it's only a semi-reliable indicator.
Additionally, if you're playing around with the AdminSDHolder ACL, keep in mind that the ACLs on affected objects have inheritance disabled, and just as with the adminCount attribute are not reset if the object falls out of scope of the SDProp process. You will have to identify such objects and re-enable inheritance yourself.
This can be scripted via PowerShell (or whatever language you prefer) but, frankly, as I said above, I'd just leave it alone unless you have a profoundly compelling reason for fiddling with it.