Hiding service administrator accounts from users

Windows Server 2003 automatically protects the essential security descriptors on the service level administrator accounts in the local domain. This ensures that these accounts do not become compromised through intentional or accidental modification that results in an unusable account, group or system. This automated self-correction mechanism runs automatically on the PDC Emulator FSMO DC. The automated service initiates its first test and correction 15 minutes after the system starts, then repeats it every 30 minutes thereafter. While it is possible to modify the settings used by this service, it is not recommended.

However, the default settings imposed by this checking mechanism allow normal users (i.e. members of the Authenticated Users group) to see the names of the user accounts that are members of the service administrator groups through any AD search interface or browse list.

In order to hide these accounts from normal users, you must make a change to the security descriptors used by the PDC emulator to protect those groups. The process to perform this activity is as follows:

  1. Disable pre-Windows 2000 compatible access for the domain.
  2. Create a new user group named Server Applications.
  3. Open Active Directory Users and Computers
  4. Click the View menu, then click the Advanced Features command from the drop-down menu.
  5. Select

Requires Free Membership to View

  1. the System container.
  2. Select the AdminSHolder object, then right-click and select Properties from the pop-up menu.
  3. Select the Security tab.
  4. Grant the Server Applications group the following access permissions on the AdminSHolder object:
    • Server Applications: List Contents - Allow - This Object Only
    • Server Applications: Read All Properties - Allow - This Object Only
    • Server Applications: Read Permissions - Allow - This Object Only
  5. Remove the Authenticated Users and Pre-Windows 2000 Compatible Access items from the security tab of the AdminSHolder object.
  6. Consider granting user accounts that are members of the service administrator group membership in the Server Applications group. This is only necessary if those users need to see the members of the service administrator groups.

Now, only user accounts with membership in the Server Applications group will be able to view the membership of the service administrator groups.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in May 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.