AD object with non-default permissions on AdminSDHolder
Cayosoft Threat Definition CTD-000005
Tune into Guardians of the Directory Podcast.
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
Non-default permissions on the AdminSDHolder object can allow attackers to grant themselves or others persistent elevated privileges across protected accounts and groups, bypassing normal administrative oversight.
- Severity: Critical
- Platform: Active Directory
- Category: AD Delegation
- MITRE ATT&CK Tactics: Defense Evasion, Privilege Escalation
- MITRE D3FEND Tactics: Application Configuration Hardening, Domain Account Monitoring
Description
A modification of the AdminSDHolder object might be an indication of threat actor activities. Active Directory uses the AdminSDHolder object, protected groups, and Security Descriptor propagator (SDPROP) as protection for privileged users and groups.
When an AD group is marked as protected, AD ensures that the owner, ACLs, and inheritance settings match those on the AdminSDHolder container, and applies them to the group and its members.
Threat actors may alter AdminSDHolder permissions to propagate unauthorized access rights to all protected objects.
Real-World Scenario
An attacker gains temporary access to a Domain Admin account. Instead of making obvious changes, they edit the AdminSDHolder object to grant a hidden security principal full control. Every 60 minutes, AD’s SDPROP process pushes these altered permissions to all protected groups (e.g., Domain Admins, Enterprise Admins) and their members, granting the attacker long-term covert access.
The change might go unnoticed by standard monitoring tools because permissions replicate automatically without further manual action.
Cayosoft Guardian detects this misconfiguration in real time, generating an alert with details of the modified ACLs so security teams can respond immediately before the attacker leverages their persistent foothold.
Kill Hybrid Drift Before It Becomes Risk with Cayosoft Guardian
Continuous monitoring of every change—who/what/when, no blind spots.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) View All Alerts and search for CTD-000005 or AD object with non-default permissions on AdminSDHolder.
3.) Open the alert and click Click for details from the Raise Threat Alert action.
4.) Review Evidence:
- Permissions modified at
- AdminSDHolder Distinguished Name
- Container Distinguished Name with non-default permissions
- Object SID
- Non-default permissions
Remediation Steps
1.) Using the remediation advice in Cayosoft Guardian, follow these steps to remove the vulnerability:
If changes occurred before Cayosoft Guardian was installed, consider restoring default permissions
To restore default permissions of the AdminSDHolder object
2.) Open ADSIEdit
3.) Connect to the Default naming context.
4.) Navigate to CN=AdminSDHolder under CN=System.
5.) Right-click and select Properties
6.) Switch to the Security tab
7.) Click Advanced
8.) Review permissions and remove unexpected entries
9.) Remove unexpected permissions
Note:After you apply the changes, they will take effect during the next cycle, which may take up to one hour. If you need to apply the settings immediately, you can manually trigger replication.
How to Prevent It
Cayosoft Guardian can proactively detect and alert on AD object with non-default permissions on AdminSDHolder.
It continuously monitors Active Directory, Entra ID, Microsoft 365, and Intune for over 200 misconfigurations, providing early warning before attackers can exploit them.
FAQ
Changes propagate to all protected groups and accounts, granting or revoking rights on every privileged object in the forest.
By default, every 60 minutes
Yes, using ADSIEdit or PowerShell to restore default ACLs.
Final Thought
Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory environment. By addressing issues like non-default permissions on AdminSDHolder, you reduce attack surfaces and protect privileged accounts from stealthy compromise.