What is AdminSDHolder?

AdminSDHolder is an Active Directory object that holds the security descriptor for objects that are members of privileged groups. The SDProp process ensures that protected objects’ access control lists (ACLs) are always consistent with the AdminSDHolder object. A compromised AdminSDHolder object can lead to an SDProp attack.

Modifying the security descriptor of the AdminSDHolder container can have serious security implications, as it controls protected accounts and groups. Such changes often indicate misconfigurations or potential abuse and should be detected and reverted immediately to prevent privilege escalation or other unintended security risks. Semperis Purple Knight and Directory Services Protector (DSP) enable detection (and in DSP’s case, rollback) of such changes.

How can I protect AdminSDHolder?

Purple Knight and DSP provide a security indicator to alert you to potential issues related to AdminSDHolder.

Indicator of exposure (IOE): Operator groups no longer protected by AdminSDHolder and SDProp
- Category: AD Infrastructure
- Frameworks: MITRE ATT&CK: Defense Evasion, MITRE D3FEND: Harden – User Account Permissions

DSP also enables you to set up notification rules and receive email alerts whenever a specific AD change occurs. You can use this functionality to monitor for changes to AdminSDHolder.

Learn more about AdminSDHolder

The following resources provide more information about AdminSDHolder, how to protect it, and how to detect and defend against attacks that exploit it.

New Forrester TEI Report: Semperis Slashes Downtime by 90%, Saving Customers Millions

Semperis Extends ML-Based Attack Detection with Specialized Identity Risk Focus

Semperis Wins CRN’s Prestigious Partner Program Guide Three Consecutive Years

Semperis Study on Cyberattacks Against Water and Electricity Utilities Underscore the Vulnerability of Critical Infrastructure

Semperis Named to Inc. Magazine’s Annual List of Best Workplaces for Third Consecutive Year

AdminSDHolder