I am trying to delegate permissions for a service account to modify a single extended property on active directory user accounts. The property is msDS_CloudExtensionAttribute1.
Our AD user objects have this property, and so it is easy to delegate the proper permissions at the OU level. However, protected user accounts (such as domain admins) keep having their permissions reset by the SDPropagator task.
To fix this, I need to correct the permissions that are applied to protected accounts by modifying the AdminSDHolder object in active directory. This object does not have the msDS_CloudExtensionAttribute1 property. Therefore, I have been unable to provide write permissions to this property on this object.
How do I add the missing property to this specific AD object, so I can set permissions on it, and it can be copied to protected user accounts?
In order to do this I had to use the Active Directory Schema MMC.
Once open, navigate in to
Classesand then right-clickcontainer. Choose,properties.Under the
Attributestab,Addthe missing attribute/property and apply.Close and re-open Active Directory Users and Computers, and the
AdminSDHolderobject will now have the new attribute. After this, I was able to delegate permissions to write this property then allow the SD Propagator task to update all protected accounts to solve my issue.After applying the schema change, MMC gave me an error and crashed. But, the new attribute was present as expected when I went back in to the schema MMC.