Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

When trying to run the SDProp or RunProtectAdminGroupsTaskGet an error (0x57) in LDP

  • Filter
  • Time
  • Show
Clear All
new posts

  • When trying to run the SDProp or RunProtectAdminGroupsTaskGet an error (0x57) in LDP

    I have been having a heck of a time with trying to get a user group in the Builtin\Administrators group. Every time I put it within 24 hours the Builtin\Administrators resets to its previous configuration (this includes the auditing I had set to check what was doing the resetting)

    I believe the issue may be the AdminSDHolder. So I am trying to get the a test up so that when I make a change I can force the checks to run and no longer have to wait to see if it worked.

    I have been using the following article to try and force the run however whenever I follow the instructions I get the following error

    ***Call Modify...
    ldap_modify_s(ld, '(null)',[0] attrs);
    Error: Modify: Unwilling To Perform. <53>
    Server error: 00000057: LdapErr: DSID-0C0422CE, comment: Error in attribute conversion operation, data 0, v23f0
    Error 0x57 The parameter is incorrect.

    Honestly I have not had to go this far into AD before because I have never had to deal with a system this broken so I am looking for any help or insight. I have already confirmed that my user has the Run-Protect-Admin-Groups-Task rights. I think I have successfully changed the dsHeuristics to f so that it isn't protecting as much but because the reason whey things are being modified is because at some point in the past someone put the Domain Users group in the Builtin\Administrators group and I now need to find a way to safely remove it without changing rights so that we can start testing what the effects will be on users before making the change, so I make another group with all the users in it and wanted to put that in while we take out the Domain users.

    Please any help you can provide would be useful.
    Q. I made some changes to the Active Directory (AD) permissions in our test AD forest and I'd like to check whether these changes are compatible with the permissions Windows enforces using the AdminSDholder mechanism. AdminSDHolder is a built-in AD mechanism that Microsoft provides to protect against the unauthorized modification of permissions on critical security groups and accounts, such as the Enterprise Admins, Schema Admins, and Domain Admins groups.

  • #2
    I have figured out the issue. The instructions were not as clear as one would hope. When it said click enter I just pressed the enter button where there is actually a button in the application labeled "Enter" and then you have to click the "Run" button. This is likely the entirety of that issue.