Avoid Overuse of Protected Groups

protected groups, user rights, PDC Emulator

Protected groups are special built-in groups that are used to assign administrative rights to users. These groups include:

  • Enterprise Admins
  • Schema Admins
  • Domain Admins
  • Account Operators
  • Sever Operators
  • Backup Operators
  • Print Operators

and a few others. If you want to assign someone certain privileges on your server, you can make them a  member of the appropriate protected group. For example, to give someone the right to back up files on your server you simply make them a member of Backup Operators.

This sound like a great idea but too much of a good thing can be bad (as I know from experience the time I ate a whole pecan pie for desert--I was sick afterwards). The problem is that Active Directory keeps an eye on these groups to make sure that no-one changes the rights they have or the permissions they have on resources. AD does this by creating a special thread called AdminSdHolder/DsPropagator and running this thread once each hour.

So what can go wrong with that? Well, if you have a lot of user accounts that are members of different protected groups, then once each hour you may see the CPU utilization on your PDC Emulator domain controller go to 100% for a period of time as this thread does it's housekeeping work. If you see this happening, you need to either (a) move your PDC Emulator role to a beefier machine, or (b) reduce the number of members of your protected groups.

In fact, apart from Enterprise/Schema/Domain Admins, you may not want to use the other protected groups at all and instead create your own security groups and assign the necessary rights to these groups by configuring the appropraite Security Settings/Local Policies/User Rights Assignment setting in Group Policy. These groups you create yourself for backup, restore, printer, accounts and other second-tier administration purposes will not have any effect on the CPU utilization of your PDC Emulator.

Mitch Tulloch (MVP Windows Server) is a well-known industry expert in Windows administration and security and author of fourteen books including the Microsoft Encyclopedia of Networking, the Microsoft Encyclopedia of Security, Windows Server Hacks and IIS6 Administration. Mitch is based in Winnipeg, Canada and is President of MTIT Enterprises, an IT content development company. You can find more information about him on his website www.mtit.com

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Network Inventory solution?