Windows Server 2003 automatically protects the essential security descriptors on the service level administrator accounts in the local domain. This ensures that these accounts do not become compromised through intentional or accidental modification that results in an unusable account, group or system. This automated self-correction mechanism runs automatically on the PDC Emulator FSMO DC. The automated service initiates its first test and correction 15 minutes after the system starts, then repeats it every 30 minutes thereafter. While it is possible to modify the settings used by this service, it is not recommended.
However, the default settings imposed by this checking mechanism allow normal users (i.e. members of the Authenticated Users group) to see the names of the user accounts that are members of the service administrator groups through any AD search interface or browse list.
In order to hide these accounts from normal users, you must make a change to the security descriptors used by the PDC emulator to protect those groups. The process to perform this activity is as follows:
- Disable pre-Windows 2000 compatible access for the domain.
- Create a new user group named Server Applications.
- Open Active Directory Users and Computers
- Click the View menu, then click the Advanced Features command from the drop-down menu.
- the System container.
- Select the AdminSHolder object, then right-click and select Properties from the pop-up menu.
- Select the Security tab.
- Grant the Server Applications group the following access permissions on the AdminSHolder object:
- Server Applications: List Contents - Allow - This Object Only
- Server Applications: Read All Properties - Allow - This Object Only
- Server Applications: Read Permissions - Allow - This Object Only
- Remove the Authenticated Users and Pre-Windows 2000 Compatible Access items from the security tab of the AdminSHolder object.
- Consider granting user accounts that are members of the service administrator group membership in the Server Applications group. This is only necessary if those users need to see the members of the service administrator groups.
Now, only user accounts with membership in the Server Applications group will be able to view the membership of the service administrator groups.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in May 2004