Active Directory

Active Directory Security: Understanding the AdminSDHolder Object

The AdminSDHolder object manages the access control lists of members of built-in privileged Active Directory groups. In this Ask the Admin, I’ll explain how this mechanism works and how you can change the way that it works.



Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

A couple of months back on Petri, I looked at a new feature in Windows Server 2016: Short-Lived Active Directory Group Membership. In that article, I noted that adding user objects to special AD groups, like Account Operators, might cause the adminCount attribute for the account to be changed to 1 if the account is in the group long enough for the AdminSDHolder mechanism to make the account a protected object. If the adminCount attribute is changed and the account is removed from the group, the adminCount attribute remains set to 1.

The Security Descriptor Propagation (SDPROP) process runs every hour on the domain controller holding the PDC emulator FSMO role. It is this process that sets the adminCount attribute to 1. The main function of SDPROP is to protect highly-privileged Active Directory accounts, ensuring that they can’t be deleted or have rights modified, accidentally or intentionally, by users or processes with less privilege.

SDPROP scans the domain for protected accounts, disables rights inheritance, and applies an access control list (ACL) on the object that mirrors the ACL of the AdminSDHolder container. But if SDPROP determines that an object’s rights inheritance is already disabled and that the ACLs match those of the AdminSDHolder container, then adminCount is not set to 1. So, the adminCount attribute cannot be used as an indicator to determine whether an object is protected. And to further muddy the waters, if a user is removed from a privileged group, the adminCount attribute remains set to 1 and inheritance disabled.

For more information on privileged AD groups, see Managing Privileged Access to Active Directory on Petri.



Controlling SDPROP

SDPROP can’t be disabled but you can change the frequency at which it runs and exclude one or more privileged groups from protection. Changing the frequency is easy. Just create a REG DWORD registry value called AdminSDProtectFrequency on the domain controller that holds the PDC Emulator FSMO role. The value should be added to the following key:


The value of AdminSDProtectFrequency should be between 60 and 7200 seconds (2 hours). Bear in mind that if you have a large directory, setting the frequency to less than 1 hour can put additional load on the domain controller’s processor.

The AdminSDHolder container in Active Directory (Image Credit: Russell Smith)
The AdminSDHolder Container in Active Directory (Image Credit: Russell Smith)

There’s nothing to stop you modifying the permissions and inheritance flag on the adminSDHolder container in AD, although this is not recommended. To modify the container’s ACL, open ADSI Edit from the Tools menu in Server Manager. Connect to the Default naming context and you’ll find the adminSDHolder container under System. For example, if your domain is, the path is as follows:


The AdminSDHolder ACL (Image Credit: Russell Smith)
The AdminSDHolder ACL (Image Credit: Russell Smith)

Some privileged groups can be excluded from protection. You might want to remove a group, like Print Operators, if you have modified the group to remove its privileged access to AD. To change which groups are protected, change the dsHeuristics attribute in CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=ad,DC=contoso,DC=com. To access the Directory Service container, open ADSI Edit from the Tools menu in Server Manager and connect to Configuration. Right-click CN=Directory Service on the left and then select Properties from the menu. Scroll down the list of the attributes in the Properties dialog until you find dsHeuristics.

The Directory Service container in Active Directory (Image Credit: Russell Smith)
The Directory Service Container in Active Directory (Image Credit: Russell Smith)

Each of the four groups that can be excluded from SDPROP has a binary value as shown in the table below:

Group Binary Hexadecimal
Account Operators 0001 1
Server Operators 0010 2
Print Operators 0100 4
Backup Operators 1000 8

The dwAdminSDExMask controls which of the above groups is excluded from SDPROP. The dwAdminSDExMask is the 16th bit of the value set in dsHeuristics and is a hexadecimal value. So, if you want to exclude Print Operators from SDPROP, the 16th bit should be set to 4. The value for dsHeuristics would look like this:


The dsHeuristics attribute (Image Credit: Russell Smith)
The dsHeuristics Attribute (Image Credit: Russell Smith)

The 10th bit is always set to 1 if the value is longer than 10 bits. If you only want to modify dwAdminSDExMask, only change the 16th bit. Leave all other bits alone. If you want to exclude more than one group, add the binary values together and then convert the result to hex, for example, to exclude Backup Operators, Print Operators, Server Operators, and Account Operators:

0001 + 0010 + 0100 + 1000 = 1111

1111 = f

So, the dsHeuristics would look like this:


Discover Users with Blocked Inheritance

If you want to find out which users in a domain have inheritance blocked, there’s a PowerShell script in the TechNet gallery which enumerates user objects in each Organizational Unit (OU), checks to see if inheritance is disabled on each object, and then dumps the results to a comma-delimited file (.csv). You can download the script here.



In this Ask the Admin, I explained how adminSDHolder is used to protect privileged AD accounts and how you can modify it to exclude some privileged groups from protection and change the frequency of SDPROP.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: