Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Tuesday, June 28, 2016

How to find out who can control/manage the AdminSDHolder object in Active Directory?


As you may know, at Paramount Defenses, we lead and operate the world's largest community of Active Directory Security Professionals on LinkedIn, compromised of 2500+ individuals from 1000+ top organizations across 100+ countries worldwide.

(Our group is a sales-free and recruiter-free technical discussion group, and is completely free to join.)

Active Directory Domain Controllers

Earlier today, during one of our many technical discussions titled "What are the security implications of someone being able to modify the security descriptor protecting the domain root object in Active Directory", one of our valued members, Daniel Ulrichs raised a very good question (mentioned below) that merited its own discussion.

(Incidentally, on the question above, Daniel also recently publicly shared his thoughts on the question on his blog here.)

Q: Who can control the AdminSDHolder object in Active Directory?

Daniel's thoughtful inputs prompted our latest conversation which focuses on the question - "How to find out who can control AdminSDHolder i.e. who can change the ACL stamped on the AdminSDHolder object?"
As you may know, all accounts considered to have (unrestricted) administrative access in Active Directory are secured by a special protected ACL, which happens to be the ACL on the AdminSDHolder object.

This is one of the most important questions in cyber security today since it directly impacts privileged user access in Microsoft Active Directory deployments and thus profoundly impacts the foundational security of 85% of all organizations worldwide.
Needless to say, anyone who can control the security of the ACL on the AdminSDHolder object holds the "Keys to the Kingdom" because he/she can impact the security of every administrative account in Active Directory.
Today, ideally all organizations should, at all times, know exactly who can change the ACL on the AdminSDHolder.

Ideally, along the same lines, there are many such questions that all organizations must know the exact answers to at all times, but for now, we're focused on this one fundamental Active Directory security question because it is cardinal to cyber security.

I, of course know the answer to the question. I'm only asking this for the benefit of our group members. Should you wish to participate in this discussion, or explore numerous such discussions, you're welcome to join the group and the conversation.

To join, simply visit -

Best wishes,

No comments:

Post a Comment