Avoid Overuse of Protected Groups

by Mitch Tulloch [Published on 7 Dec. 2005 / Last Updated on 7 Dec. 2005]

protected groups, user rights, PDC Emulator

Protected groups are special built-in groups that are used to assign administrative rights to users. These groups include:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Account Operators
  • Sever Operators
  • Backup Operators
  • Print Operators

and a few others. If you want to assign someone certain privileges on your server, you can make them a  member of the appropriate protected group. For example, to give someone the right to back up files on your server you simply make them a member of Backup Operators.

This sound like a great idea but too much of a good thing can be bad (as I know from experience the time I ate a whole pecan pie for desert--I was sick afterwards). The problem is that Active Directory keeps an eye on these groups to make sure that no-one changes the rights they have or the permissions they have on resources. AD does this by creating a special thread called AdminSdHolder/DsPropagator and running this thread once each hour.

So what can go wrong with that? Well, if you have a lot of user accounts that are members of different protected groups, then once each hour you may see the CPU utilization on your PDC Emulator domain controller go to 100% for a period of time as this thread does it's housekeeping work. If you see this happening, you need to either (a) move your PDC Emulator role to a beefier machine, or (b) reduce the number of members of your protected groups.

In fact, apart from Enterprise/Schema/Domain Admins, you may not want to use the other protected groups at all and instead create your own security groups and assign the necessary rights to these groups by configuring the appropraite Security Settings/Local Policies/User Rights Assignment setting in Group Policy. These groups you create yourself for backup, restore, printer, accounts and other second-tier administration purposes will not have any effect on the CPU utilization of your PDC Emulator.

Mitch Tulloch (MVP Windows Server) is a well-known industry expert in Windows administration and security and author of fourteen books including the Microsoft Encyclopedia of Networking, the Microsoft Encyclopedia of Security, Windows Server Hacks and IIS6 Administration. Mitch is based in Winnipeg, Canada and is President of MTIT Enterprises, an IT content development company. You can find more information about him on his website www.mtit.com

Featured Links