SDPROP troubleshooting

< Back
You are here:

SDPROP run frequency:
HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\AdminSDProtectFrequency REG_DWORD default 600

SDPROP scope:
16th char (dwAdminSDExMask) of dsHeuristics ( interpreted as Hex
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=xxx,DC=yyy,DC=zzz

Force SDPROP to run once:
Add FixUpInheritance attribute with 1 or Yes as value to RootDSE

set “9. Internal Processing” and “15. Field Engineering” to 3 or above and increae the Security log size
***REVERT when finished troubleshooting!!!***


Sneaky Active Directory Persistence #15: Leverage AdminSDHolder & SDProp to (Re)Gain Domain Admin Rights – Active Directory Security (

Table of Contents