🎙️ In This Episode of Directory Insights in 10 Minutes
Craig Birch breaks down the misunderstood AdminSDHolder object and the SDProp process in Active Directory—why they exist, how they protect privileged groups, and how attackers exploit misconfigurations to maintain persistence.
🔍 What You’ll Learn:
• What AdminSDHolder and SDProp actually do
• Why they matter for Tier 0 group protection
• How attackers abuse them for persistent elevated access
• Which ACLs and inherited permissions to look for
• PowerShell methods to quickly audit for dangerous ACEs
🛠️ PowerShell Script – AdminSDHolder ACL Audit
# Get AdminSDHolder ACL and filter for dangerous ACEs
$domainNC = (Get-ADDomain).DistinguishedName
$adminSDHolderDN = "CN=AdminSDHolder,CN=System,$domainNC"
$acl = (Get-ADObject -Identity $adminSDHolderDN -Properties nTSecurityDescriptor).nTSecurityDescriptor
$dangerousACEs = $acl.Access | Where-Object {
$_.AccessControlType -eq "Allow" -and
$_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner"
}
$dangerousACEs | Format-Table IdentityReference, ActiveDirectoryRights
âś… Run this to find potentially exploitable permissions in protected AD groups.
đź“Ś Brought to you by Guardians of the Directory
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com