With the Symantec Threat Defense for Active Directory (TDAD) policy applied, a very large increase in the number of accounts with admin access is seen when running this command:

([adsisearcher]"(&(objectClass=person)(objectClass=User)(admincount=1))").FindAll()

The number of admin accounts being returned from applying the mask is much larger than the default 6X obfuscation factor value.

The admincount value was incorrectly set to 1 for all fake users.

On-premises: 

This issue is fixed in Symantec Endpoint Protection (SEP) 14.3.5.0 (RU5)  

For information on how to obtain the latest build of SEP, see Download Symantec software, tools, and patches.

Cloud:

This issue is fixed in Symantec Endpoint Security (SES) 14.3.5.0 (RU5).

For information on how to upgrade the SES agent, see Upgrading Windows client software automatically.