Book a Pentest

AdminSDHolder and Protected Groups Abuse

Description

AdminSDHolder is a special container in Active Directory whose Access Control List (ACL) is used as a template for highly privileged “protected” groups and their members (e.g., Domain Admins, Enterprise Admins, Schema Admins). A background process (SDProp) periodically copies the AdminSDHolder ACL onto these objects, overwriting local ACL changes. If attackers gain the ability to modify AdminSDHolder or protected group ACLs (via WriteDACL, GenericAll, or similar rights), they can grant themselves persistent privileges that survive password resets and group membership changes.

Examples

Identify Protected Accounts and Groups

List objects with adminCount = 1, which indicates protection by AdminSDHolder:

Get-ADObject -LDAPFilter "(adminCount=1)" -Properties adminCount,ObjectClass,Name |
  Select-Object Name,ObjectClass,DistinguishedName

Look for ordinary users, service accounts, or groups that should not be treated as Tier‑0.

Inspect AdminSDHolder and Protected Group ACLs

Review who can modify AdminSDHolder and core privileged groups:

# AdminSDHolder ACL
Get-ACL "AD:\CN=AdminSDHolder,CN=System,DC=corp,DC=local" | Format-List

# Example: Domain Admins ACL
Get-ACL "AD:\CN=Domain Admins,CN=Users,DC=corp,DC=local" | Format-List

Third‑party tools, legacy migration groups, or broad “IT” groups with WriteDACL or GenericAll should be treated as high‑risk.

Detect Persistence via ACL-Based Backdoors

Search for ACEs that grant non‑Tier‑0 principals powerful rights over protected objects:

Get-ADObject -LDAPFilter "(adminCount=1)" -Properties ntSecurityDescriptor |
  ForEach-Object {
    $obj = $_
    $acl = Get-ACL ("AD:\" + $obj.DistinguishedName)
    $acl.Access | Where-Object {
      $_.FileSystemRights -match "Write" -or $_.ActiveDirectoryRights -match "Write|GenericAll|GenericWrite"
    } | Select-Object IdentityReference,ObjectType,ActiveDirectoryRights,@{n='Target';e={$obj.Name}}
  }

Unusual identities (e.g., service accounts, vendor groups) with broad rights indicate potential persistence or misconfiguration.

Remediation

  1. Harden AdminSDHolder ACL
    • Limit WriteDACL, GenericAll, and similar rights to a very small set of Tier‑0 admins.
    • Remove legacy or unknown ACEs; document remaining entries and their justification.
  2. Reduce the protected set
    • Audit adminCount=1 objects and remove accounts/groups that no longer need Tier‑0 protection.
    • Move privileged but non‑Tier‑0 administration to separate, less privileged groups.
  3. Monitor for ACL changes
    • Alert on modifications to AdminSDHolder, core privileged groups, and protected accounts.
    • Include ACL changes in your incident response playbooks and routinely review directory permission baselines.