All Episodes

May 15, 2025 • 6 mins

🎙️ In This Episode of Directory Insights in 10 Minutes
Craig Birch breaks down the misunderstood AdminSDHolder object and the SDProp process in Active Directory—why they exist, how they protect privileged groups, and how attackers exploit misconfigurations to maintain persistence.

🔍 What You’ll Learn:
• What AdminSDHolder and SDProp actually do
• Why they matter for Tier 0 group protection
• How attackers abuse them for persistent elevated access
• Which ACLs and inherited permissions to look for
• PowerShell methods to quickly audit for dangerous ACEs


🛠️ PowerShell Script – AdminSDHolder ACL Audit

# Get AdminSDHolder ACL and filter for dangerous ACEs

$domainNC = (Get-ADDomain).DistinguishedName

$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"

$acl = (Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor).nTSecurityDescriptor


$dangerousACEs = $acl.Access | Where-Object {

$_.AccessControlType -eq "Allow" -and

$_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner"

}


$dangerousACEs | Format-Table IdentityReference, ActiveDirectoryRights


âś… Run this to find potentially exploitable permissions in protected AD groups.

📌 Brought to you by Guardians of the Directory

Mark as Played

Advertise With Us

Popular Podcasts

Stuff You Should Know
24/7 News: The Latest

24/7 News: The Latest

The latest news in 4 minutes updated every hour, every day.

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2025 iHeartMedia, Inc.