|
Re: AdminSDHolder
The AdminSDHolder container is a special container object inside of the System container in Active Directory. The basic function of AdminSDHolder is exactly what it says it does - it holds the Access Control List (ACL) for every admin account. This container is just a template. Once every hour, the DC that holds the PDC Emulator role goes through every account that is in built-in Administrators group and checks the ACL for each user object. It compares this ACL to that of the AdminSDHolder container and if any Access Control Entry (ACE) is different, it rips out the old ACL and copies the ACL from the AdminSDHolder over to it.
The purpose of AdminSDHolder is to prevent against a specific attack scenario. Active Directory is extremely flexible down to it' s most granular level. Because of this, a user can have write access to anything inside of a specific OU. If an admin account is moved to an OU that a non-admin has rights to, he could give himself privileged access to the admin account. AdminSDHolder tries to prevent this from happening by continuously refreshing the ACL on an admin account.
Re: Stopping the BlackBerry Router Service
Stopping the BlackBerry Router allows the Exchange Servers to clear the cached permissions for the BlackBerry Enterprise Server administration account. I am currently investigating various methods to expedite this process (e.g Restarting the Information Store Service).
|