AdminSDHolder and admincount=1 attribute

Certain groups within Active Directory are considered protected groups and are protected by AdminSDHolder.  When a user becomes a member of a protected group it will no longer inherit permissions from its parent object in AD (usually an OU).  This can mess up any carefully laid permission delegations you may have configured.  Much more on AdminSDHolder here

As an AD admin you may find that if you have been delegated permissions to , say, reset passwords of all users in OU you could come across a user who’s password you can’t reset.  You’ll basically be told you do not have permissions on that object.  If that user account was once in a protected group they will not be inheriting the permissions from the parent OU.

To identify users that have the attribute admincount set to 1

$count = Get-Aduser -searchbase “OU=ExampleOU,DC=Example,DC-Com” -Properties adminCount -Filter * | where {admincount -gt 0}

To then set that attribute back to 0

$count | Select SamAccountName,distinguishedName,adminCount | ForEach-Object {Set-Aduser -Identity $_.SamAccountName -Replace @{adminCount=0}}


Once that is done then inheritance needs to be re-enabled on the object; the below code from here


$users = Get-ADUser -ldapfilter “(objectclass=user)” -searchbase “OU=companyusers,dc=enterpriseit,dc=co”
ForEach($user in $users)
# Binding the users to DS
$ou = [ADSI](“LDAP://” + $user)
$sec = $ou.psbase.objectSecurity

if ($sec.get_AreAccessRulesProtected())
$isProtected = $false ## allows inheritance
$preserveInheritance = $true ## preserver inhreited rules
$sec.SetAccessRuleProtection($isProtected, $preserveInheritance)
Write-Host “$user is now inherting permissions”;
Write-Host “$User Inheritable Permission already set”


Move users to OU based on description

Trying to keep up with job changes and ensuring users accounts are in the correct OU in AD can be problematic.  In the environment I work in each team has their own OU (I’m not sure why it is like this,  I suspect it’s a case of ‘that’s the way we’ve always done it’).

Anyway mine is not to reason why.  So the good thing is that the descriptions for users are fairly well defined, for example someone in the 2nd line team the description is ‘Second Line Support Team’.   Using this description users can be moved to the correct OU using Powershell

First I create variables for the OUs

$secondlineou = “OU=SecondLineOU,DC=Example,DC=Com”

then I can use Get-Aduser and filter on the description

Get-Aduser -Filter “Description -eq ‘Second Line Support Team'”

This gives me all users in AD with a description of ‘Second Line Support Team’

I then pipe that information to the Move-Adobject cmdlet and specify the variable as the target

Move-Adobject -TargetPath $secondlineou

Putting this all together gives

$secondlineOU = “OU=SecondLineOU,DC=Example,DC=Com”

Get-Aduser -Filter “Description -eq ‘Second Line Support Team'”| Move-Adobject -TargetPath $secondlineou


I have this running as a scheduled task.  This has made things easier on the service desk team.  All they now need to do is updated a users description and the automation will ensure the account gets placed into the correct OU

Mailbox Enable all users in an OU

As well as having to Skype enable all users recently (see previous post) I also had to mailbox enable the users.  With Exchange 2010 you can’t just import the powershell module.  Using this article as a base I came up with this;

$Session = New-Pssession -COnfigurationName Microsoft.Exchange -ConnectionUri http://exchangeservername/powershell

Import-Pssession $Session

Get-User -OrganizationalUnit “OU=ExampleOU,DC=Example,DC=Com” | Enable-Mailbox -database “your mailbox database”


Skype/Lync Enable all users in an OU

I recently had to enable all users in a specific OU for Skype for Business 2015.  Easily done with Powershell;

Either import the skypeforbusiness module into a normal Powershell window or run the Skype for Business Server Management Shell

import-module skypeforbusiness

Get-CsAduser -OU “OU=ExampleOU,DC=example,DC=com” | Enable CSuser -RegistrarPool “your pool name” -SipAddressType emailaddress

Set IP Address and DNS settings with PowerShell – Windows 2012 and newer


Name                      InterfaceDescription                    ifIndex Status
—-                      ——————–                    ——- ——       ———-
Ethernet                  vmxnet3 Ethernet Adapter                     12 Up

Name is the interfacealias.

New-Netipaddress -interfacealias “ethernet” -ipaddress -prefixlength 24 -defaultgateway

Could also use

new-netipaddress -interfaceIndex 12


set-dnsclientserveraddress -interfacealias “ethernet” -serveraddresses”,″