ADConnect permission issues with adminCount accounts

Once I was working on migrating Azure AD Connect from one server to another. After the migration, no matter that the account had rights on the SDadmin folder, some accounts failed to be updated with an insufficient rights error.

After some digging, I found that some accounts historically have adminCount set to 1 and inheritance turned off, so to fix that, I used the following script below:

You’d need to have at least Domain admin rights to change the security settings or even more, depending on how AD is mangled 🙂

#Create search variables 

$AdminGroup = Get-ADGroup -LDAPFilter "(adminCount=1)"
$AdminUsers = Get-ADUser -LDAPFilter "(adminCount=1)" 
$Admins = ForEach ($Group in $AdminGroup) {Get-ADGroupMember $Group | Where-Object {$_.ObjectClass -eq “User”} }

#Create empty arrays to store the results
$PGUSers = @()
$OrphanUsers = @()

#Compare $AdminUsers to $Admins and place in appropriate array
ForEach ($User in $AdminUsers){
If ($Admins.objectGUID -Match $User.objectGUID){
$PGUsers += ($User.SamAccountName)
}
Else{
$OrphanUsers += ($User.SamAccountName)
}}

#Clear AdminCount Attribute and enable inheritance

ForEach ($Orphan in $OrphanUsers){

#Clear AdminCount Attribute
$ADUser = Get-ADUser $Orphan
Set-ADUser $ADUser -Clear {AdminCount}
Write-Host ($ADuser.SamAccountName + " | admin count was reset")


#enable inheritance
$dn= [ADSI](“LDAP://” + $ADuser)
$acl= $dn.psbase.objectSecurity

if ($acl.get_AreAccessRulesProtected())
{
    $isProtected = $false 
    $preserveInheritance = $true 
    $acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
    $dn.psbase.commitchanges()
    Write-Host($ADuser.SamAccountName + " | inheritance set to enabled")
}
else
{
    write-host($ADuser.SamAccountName + " | inheritance already enabled")
}
}

References:

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

https://www.eventsentry.com/kb/412-how-does-admonitor-determine-if-a-user-is-an-admin

https://www.techtarget.com/searchwindowsserver/tutorial/Learn-to-adjust-the-AdminCount-attribute-in-protected-accounts

https://model-technology.com/blog/admincount-privileged-groups-sdprop/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.