Active Directory Clear AdminCount

1st April 2022

PingCastle or another Domain health/security tool may tell you that an account isn’t administrator but it has the adminCount set to a number larger than 0. here is how to fix that. Sometimes called AdminDsHolder

Why do we care? this is to have a record of any process that sets itself to administrator, does it’s bad stuff, then removes administrator from itself. BUT there is nothing stopping the process from resetting it’s own adminCount

In the powershell snippet below userName is account name before @DomainName. it won’t have any spaces.

Get-ADUser userName | Set-ADObject -Clear adminCount