Does setting Admincount to 0 revokes protected status of users who are member of protected AD group ?
No, Admincount will automatically revert as 1 by AdminSDHolder (if you edit manually ). By default the process called SDPROP (Security Descriptor Propagation ) is automatically activated every 60 minutes on the PDC emulator of the Active Directory domain and update adminCount value of every security objects by AdminSDHolder code.
What is AdminSDHolder
Active Directory domain has an object called AdminSDHolder, which resides in the System container in the domain (CN=AdminSDHolder,CN=System,DN=domain,DN=com). The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in or granted administrative accounts. The AdminCount attribute value will be changed from NULL to 1 when an account granted administrative permissions. The AdminCount attribute on that user account does not change when administrative permission accounts is disabled or revoked, the value 1 remains.
The following Active Directory Powershell cmdlet command detect which users and groups are affected by Protected Group status.
List AD Protected Users:
Import-Module ActiveDirectory Get-ADUser -LDAPFilter "(admincount=1)" | Select Name,DistinguishedName
List AD Protected Groups:
Import-Module ActiveDirectory Get-ADGroup -LDAPFilter "(admincount=1)" | Select Name,DistinguishedName
Default protected administrative groups in Active Directory:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Cert Publishers
- Domain Controllers
- Read-Only Domain Controllers
- Replicator