Manually kick off SDProp (Security Descriptor Propagator Update)

This is how you manually can start SDProp (propagation of security permissions of AdminSDHolder) on Windows 2008 R2/2012 DCs (run the script on the DC holding the PDC FSMO role).

Script
# Requires/imports ActiveDirectory module
Import-Module ActiveDirectory
$PDC = Get-ADDomain | select -ExpandProperty PDCEmulator            
$Temp = "c:\temp\RikardStrand\temp.txt"            
write-host $temp
Set-Content -Path $Temp -Value @'
dn:
changetype: modify
add: runProtectAdminGroupsTask
runProtectAdminGroupsTask: 1
-
'@             
ldifde -i -f $Temp            

No comments: