Once I was working on migrating Azure AD Connect from one server to another. After the migration, no matter that the account had rights on the SDadmin folder, some accounts failed to be updated with an insufficient rights error.
After some digging, I found that some accounts historically have adminCount set to 1 and inheritance turned off, so to fix that, I used the following script below:
You’d need to have at least Domain admin rights to change the security settings or even more, depending on how AD is mangled 🙂
#Create search variables
$AdminGroup = Get-ADGroup -LDAPFilter "(adminCount=1)"
$AdminUsers = Get-ADUser -LDAPFilter "(adminCount=1)"
$Admins = ForEach ($Group in $AdminGroup) {Get-ADGroupMember $Group | Where-Object {$_.ObjectClass -eq “User”} }
#Create empty arrays to store the results
$PGUSers = @()
$OrphanUsers = @()
#Compare $AdminUsers to $Admins and place in appropriate array
ForEach ($User in $AdminUsers){
If ($Admins.objectGUID -Match $User.objectGUID){
$PGUsers += ($User.SamAccountName)
}
Else{
$OrphanUsers += ($User.SamAccountName)
}}
#Clear AdminCount Attribute and enable inheritance
ForEach ($Orphan in $OrphanUsers){
#Clear AdminCount Attribute
$ADUser = Get-ADUser $Orphan
Set-ADUser $ADUser -Clear {AdminCount}
Write-Host ($ADuser.SamAccountName + " | admin count was reset")
#enable inheritance
$dn= [ADSI](“LDAP://” + $ADuser)
$acl= $dn.psbase.objectSecurity
if ($acl.get_AreAccessRulesProtected())
{
$isProtected = $false
$preserveInheritance = $true
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
$dn.psbase.commitchanges()
Write-Host($ADuser.SamAccountName + " | inheritance set to enabled")
}
else
{
write-host($ADuser.SamAccountName + " | inheritance already enabled")
}
}
References:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
https://www.eventsentry.com/kb/412-how-does-admonitor-determine-if-a-user-is-an-admin
https://model-technology.com/blog/admincount-privileged-groups-sdprop/