SDPROP troubleshooting

SDPROP run frequency:
HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\AdminSDProtectFrequency REG_DWORD default 600

SDPROP scope:
16th char (dwAdminSDExMask) of dsHeuristics (https://docs.microsoft.com/en-us/previous-versions/technet-magazine/ee361593(v=msdn.10)?redirectedfrom=MSDN) interpreted as Hex
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=xxx,DC=yyy,DC=zzz

Force SDPROP to run once:
Add FixUpInheritance attribute with 1 or Yes as value to RootDSE
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/ddc8da4a-6ac8-4193-b51c-205cebbf483b

Logging:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-ad-and-lds-event-logging
HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
set “9. Internal Processing” and “15. Field Engineering” to 3 or above and increae the Security log size
***REVERT when finished troubleshooting!!!***

Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights – Active Directory Security (adsecurity.org)