AdminSDHolderis a special AD container with some "default" security permissions that is used as a template for protected AD accounts and groups (like Domain Admins, Enterprise Admins, etc.) to prevent their accidental and unintended modifications, and to keep them secure.
AdminSDHoldercontainer can be abused by backdooring it by giving your user
GenericAllprivileges, which effectively makes that user a Domain Admin.
spotlessgets all the privileges: