Active Directory Clear AdminCount

1st April 2022

Uncategorised

PingCastle or another Domain health/security tool may tell you that an account isn’t administrator but it has the adminCount set to a number larger than 0. here is how to fix that. Sometimes called AdminDsHolder

Why do we care? this was to have a record of any process that sets itself to administrator, does it’s bad stuff, then removes administrator from itself. but there is nothing stopping the process from resetting the adminCount

Get-ADUser userName | Set-ADObject -Clear adminCount