Detect and correct orphaned ‘adminCount=1’ in Active Directory

I recently needed to detect and correct orphaned ‘adminCount=1’ in Active Directory.
I googled that old problem and found the following code: https://gist.github.com/webash/b34c5a422288827ff4e53318e34c6923

I loved his honesty and the fact that he respected the best practice of adding a note where he has acquired the code.
The help also references a blog post on technet.

I don’t like to reinvent the wheel and I couldn’t resist fixing the code anyway.

#Requires -Version 3.0
#Requires -Module ActiveDirectory
Function Get-OrphanAdminSdHolderUser {
[CmdletBinding()]
Param()
Begin {}
Process {
}
End {
$UsersInAdminGroups = (Get-ADGroup -LDAPFilter '(adminCount=1)') |
ForEach-Object {
# Get all users from all admin groups recursively
Get-ADGroupMember $_ -Recursive | Where-Object {$_.ObjectClass -eq 'User'}
# ...then sort them by distinguishedName to ensure accurate -Unique results (because some users might be in multiple protected groups)
} | Sort-Object distinguishedname | Select-Object -Unique
#Get List of Admin Users (Past and Present) = $UsersFlaggedAsAdmin
#Compare $UsersFlaggedAsAdmin to $Admins and place in appropriate hash table
Get-ADUser -LDAPFilter '(adminCount=1)' |
ForEach-Object {
If ($_.samAccountName -notin $UsersInAdminGroups.samAccountName) {
Write-Verbose -Message ("ORPHAN`t`t{0}" -f $_.samAccountName)
$_
} else {
Write-Verbose -Message ("STILL ADMIN`t{0}" -f $_.samAccountName)
}
}
}
<#
.SYNOPSIS
Detects Orphaned SD Admin users
.DESCRIPTION
Get all users that are members of protected groups within AD and compares membership with users
that have the AD Attribute AdminCount=1 set. If the user has the AdminCount=1 enabled but is
not a member of a protected group then the user is considered an orphaned admin user.
#>
}
Function Clear-OrphanAdminSdHolderUser {
[CmdletBinding(SupportsShouldProcess,ConfirmImpact='High')]
Param(
[parameter(Mandatory,ValueFromPipeline)]
[Microsoft.ActiveDirectory.Management.ADPrincipal[]]$OrphanUser
)
Begin {}
Process {
$OrphanUser |
Where-Object { $_.SamAccountName -ne 'krbtgt' } |
ForEach-Object {
$user = $_
if ($pscmdlet.ShouldProcess($_,'Clear AdminCount and reset permissions inheritance')) {
try {
$user | Set-ADUser -Clear {AdminCount} -ErrorAction Stop
Write-Verbose -Message ('Clearing AdminCount for {0}' -f $user.SamAccountName)
} catch {
Write-Warning -Message "Failed to clear admincount property for $($user.SamAccountName) because $($_.Exception.Message)"
}
try {
$Acl = Get-ACL -Path ('AD:\{0}' -f $user.DistinguishedName) -ErrorAction Stop
If ($Acl.AreAccessRulesProtected) {
$Acl.SetAccessRuleProtection($False, $True)
Set-ACL -AclObject $ACL -Path ('AD:\{0}' -f $user.DistinguishedName) -ErrorAction Stop
Write-Verbose -Message ('Enabling Inheritence for {0}' -f $user.SamAccountName)
} else {
Write-Verbose -Message ('Inheritence already set for {0}' -f $user.SamAccountName)
}
} catch {
Write-Warning -Message "Failed to enable inheritence for $($user.SamAccountName) because $($_.Exception.Message)"
}
}
}
}
End {}
<#
.SYNOPSIS
Resets admin count attribute and enables inheritable permissions on AD user
.DESCRIPTION
The AdminCount attributed is cleared and inheritable permissions are reset
.PARAMETER OrphanUser
A list or array of ADUser objects
.EXAMPLE
Get-OrphanAdminSdHolderUser| Select -First 1 | Clear-OrphanAdminSdHolderUser -WhatIf
.EXAMPLE
Get-OrphanAdminSdHolderUser | Clear-OrphanAdminSdHolderUser
#>
}
view raw OrphanedAdmin.ps1 hosted with ❤ by GitHub

1 thought on “Detect and correct orphaned ‘adminCount=1’ in Active Directory

  1. Pingback: Dew Drop - July 20 2018 (#2770) - Morning Dew

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.