AdminSDHolder – Active Directory & Azure AD/Entra ID Security

May 13 2026

AD Fundamentals: Domain Root & AdminSDHolder Permissions

By Sean Metcalf in ActiveDirectorySecurity, AD Fundamentals, Technical Reference

This series of posts focuses on key Active Directory (AD) components that need to be secured in order to ensure AD security is leveled up. this post focuses on permissions on two important objects in AD: the Domain root and the AdminSDHolder object. Domain Root Let’s start with the domain root. The domain is the container …

AdminSDHolder, AdminSDHolderPermissions, DomainPermissions, DomainRootPermissions

Jun 14 2017

Scanning for Active Directory Privileges & Privileged Accounts

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security

Active Directory Recon is the new hotness since attackers, Red Teamers, and penetration testers have realized that control of Active Directory provides power over the organization. I covered ways to enumerate permissions in AD using PowerView (written by Will @harmj0y) during my Black Hat & DEF CON talks in 2016 from both a Blue Team …

Account Operators, Active Directory permissions, Active Directory PRivileged Access, Active Directory Security, AD, AD ACLs, AD Delegation, AD groups in Local Groups, AD Security, AdminSDHolder, Allow logon locally, Allow logon over Remote Desktop Services, Backup Operators, Bloodhound, Create GPO rights, CreateChild, DCSync, DeleteChild, Domain Admins, Enable computer and user accounts to be trusted for delegation, Enterprise Admins, Extended Right, Full Control, GenericAll, GenericWrite, GPO, Greoup Policy Delegation, Group Membership, Group Policy Object, Group Policy Permission, Impersonate a client after authentication, Link GPO rights, Manage auditing and security log, Manage Group Policy link, PowerView, Print Operators, Replicating Directory Changes All, Restricted Groups, S-1-5--512, S-1-5--517, S-1-5--520, S-1-5-21--1102, S-1-5-21--519, S-1-5-21--525, S-1-5-21--571, S-1-5-32--574, S-1-5-32-544, S-1-5-32-548, S-1-5-32-550, S-1-5-32-551, S-1-5-32-554, S-1-5-32-562, S-1-5-32-573, S-1-5-32-578, SACL, Schema Admins, SDDL, SDProp, Self, SeMachineAccountPrivilege, SeNetworkLogonRight, SeTcbPrivilege, SeTrustedCredManAccessPrivilege, SIDHistory, Synchronize directory service data, User Rights Assignments, Validated Write, WriteDACL, WriteOwner, WritePRoperty

Sep 25 2015

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights

By Sean Metcalf in ActiveDirectorySecurity, Microsoft Security, Security Conference Presentation/Video, Technical Reference

The content in this post describes a method by which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for 5 minutes. I presented on this AD persistence method at DerbyCon (2015). Complete list of Sneaky Active Directory Persistence Tricks posts AdminSDHolder Overview AdminSDHolder is an object located in …

Content Disclaimer: This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Script samples are provided for informational purposes only and no guarantee is provided as to functionality or suitability. The views shared on this blog reflect those of the authors and do not represent the views of any companies mentioned. Content Ownership: All content posted here is intellectual work and under the current law, the poster owns the copyright of the article. Terms of Use Copyright © 2011 - 2025.

Tag: AdminSDHolder

AD Fundamentals: Domain Root & AdminSDHolder Permissions

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright

Tag: AdminSDHolder

AD Fundamentals: Domain Root & AdminSDHolder Permissions

Scanning for Active Directory Privileges & Privileged Accounts

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights

Recent Posts

Active Directory & Entra ID Security Services

Popular Posts

Categories

Tags

Recent Posts

Recent Comments

Archives

Categories

Meta

Copyright