Early bird registration for SO-CON 2026 is now open!  Register Now
Back to Resources
e-Book

AdminSDHolder Misconceptions & Misconfigurations

AdminSDHolder is an object and associated process in Active Directory Domain Services (AD DS) that helps protect specific sensitive and highly privileged accounts from being manipulated. This topic is oft written about, but commonly misunderstood. This ebook explores AdminSDHolder in depth and explores what common documentation gets incorrect, how AdminSDHolder is often misconfigured, and how to proactively improve the attack posture of AD DS.

Key Takeaways

  • AdminSDHolder has been documented incorrectly for decades
  • There are common misconfigurations and gaps around AdminSDHolder in most AD DS environments
  • An in-depth exploration of Active Directory internals and the Windows access control model

Estimated read time: 420 min

Download the E-Book

Executive Summary

AdminSDHolder is a critical security mechanism in Active Directory Domain Services (AD DS) that protects highly privileged accounts from unauthorized manipulation. Despite its importance to enterprise security, this feature remains widely misunderstood due to decades of inaccurate documentation from Microsoft that has propagated across industry resources. Organizations frequently misconfigure AdminSDHolder based on this flawed guidance, introducing security vulnerabilities into their environments.

When Best Practices are Wrong

AdminSDHolder serves as a fundamental defense mechanism that prevents lower-privileged accounts from escalating privileges by protecting sensitive administrative groups and accounts. Without this protection in place, accounts with delegated permissions could compromise an entire Active Directory forest. The mechanism operates by applying restrictive access controls and blocking permission inheritance on privileged accounts, effectively creating a security boundary around the most critical identities in the directory. Microsoft’s official documentation contains fundamental errors about how AdminSDHolder actually functions, creating a knowledge crisis that has persisted for years.

Correcting the Problem

BloodHound version 8.3.0 provides capabilities to identify protection gaps and validate AdminSDHolder coverage across the environment. BloodHound’s visualizes AdminSDHolder-protected nodes, identifies Tier Zero assets that lack adequate protection, and delivers updated remediation guidance for access control vulnerabilities. These capabilities enable security teams to understand their actual protection posture rather than relying on assumptions based on configuration settings alone.

Defend against
advanced attacks.

See how BloodHound Enterprise eliminates millions of attack paths while focusing your defenses on the routes attackers actually use to reach your critical assets.

Book a Demo

You might also be interested in

White Papers

The CISO’s Guide to Modern Identity Security

A strategic framework for security leaders navigating the shift from reactive incident response to proactive attack path management

Read more

White Papers

Maturity Model

The rise of identity-based attacks has exposed a blind spot in the security stack; none of the core tools were designed to map or control how privilege chains together. Attackers aren’t slipping through gaps in detection; they’re bypassing controls entirely by chaining together legitimate access into attack paths that lead directly to critical assets.

Read more

Cover of the State of APM report
White Papers

The State of Attack Path Management

Our inaugural report highlights why Identity Security is increasingly complex, and why it's difficult to execute without Attack Path Management. We're shifting the conversation from static checklists to the dynamic attack graph.

Read more