AdminSDHolder
is a special AD container with some "default" security permissions that is used as a template for protected AD accounts and groups (like Domain Admins, Enterprise Admins, etc.) to prevent their accidental and unintended modifications, and to keep them secure.AdminSDHolder
container can be abused by backdooring it by giving your user GenericAll
privileges, which effectively makes that user a Domain Admin.spotless
with GenericAll
rights for Domain Admins
group:spotless
gets all the privileges:GenericAll
privileges against Domain Admins
group: