Detecting members of Protected Groups within AD
Posted by Alan McBurney on July 16, 2013
I do a lot Exchange and Lync work and typically post project I get calls from customers that things aren’t working quite as expected.
Some typical issues include insufficient rights to modify users within Lync, ActiveSync not working or send as permissions being stripped out for users within Exchange.
What all these issues have in common is that users affected are members of what’s termed as Protected Groups within AD and security inheritance is being stripped from the user object.
If you need a primer or a deep dive for that matter into Protected Groups see John Policelli’s article here
The following Active Directory PowerShell commands can be used detect which users and groups are affected by Protected Group status.
To get the list of protected users:
Get-ADUser -LDAPFilter "(admincount=1)" | select name
To get the list of protected groups:
Get-ADGroup -LDAPFilter "(admincount=1)" | select name
Once the users have been removed from the Protected Groups its just a matter of enabling security inheritance for the user object from within AD and the issues should be resolved.
Alan's sysadmin Blog 
Delegar Administración en Active Directory | WindowServer said
[…] Detecting members of Protected Groups within AD: https://everythingsysadmin.wordpress.com/2013/07/16/detecting-members-of-protected-groups-within-ad/ […]
Script: Fixing Orphaned AdminSDHolder Accounts « Alan's sysadmin Blog said
[…] This is intended as a follow up to Detecting members of Protected Groups within AD […]