As it says in the title, wouldn't it be good for the findandfix script to also re-enable inheritance?

What is the ADROOT account living in RootDSE? This powershell script was able to find it but when I browse RootDSE using ADSI Edit I can't see it but I can find it and manipulate it when running powershell through ISE when debugging. I can't find any documentation on the existence of this account but it was privileged at one time because the script finds it and resets it's AdminCount flag. Why does this script find it and since it reset the flag on it should I be concerned?

There is a problem with FindandFixADObjectswithStaleAdminSDHolder.ps1 that results in ALL users...even those with current membership in protected groups...having adminCount=1 cleared.

When I run FindandFixADObjectswithStaleAdminSDHolder.ps1 on Windows Server 2019 standard in an AD environment that has fewer than 10 users, the script finds and "fixes" 52 users.

Additionally, in AD there were a half dozen or so users that were a member of Administrators (a protected group) and the script detects these as "stale" and "fixes" them by clearing adminCount even though they should remain protected.

Within the hour when SDPROP runs the adminCount of these users is automatically set back to 1 (as it should be, as far as I can tell), so no harm done.

But the behavior I saw is that the script essentially clears adminCount for ALL users...and then the next run of SDPROP sets adminCount=1 for the users that should have it. This is still useful...but is not what I expected the script to do.

Every group in $default_admin_groups are queried via Get-ADGroup for every flagged object in the domain. As a result, with large numbers of admin groups and/or flagged objects, this can take a very long time to run.

It would be more efficient to pull all members of those admin groups into a collection of some sort and that collection queried for presence of the flagged object vs a new call to Get-ADGroup each time.

It seems FindandFixADObjectswithStaleAdminSDHolder.ps1 only identifies the default set of admin groups and ignores recursive groups that are nested within. As a result, the resulting output file for valid privileged members is missing users that are members of said nested groups. I noticed this when users I know to be members of nested groups within the admin groups were missing from the default report.

With that said, when determining orphaned users, it appears you are querying recursively (get-adgroup -recursivematch), so the orphaned results seems fine.