The ProtectAdminGroups background task tattoos the AdminSDHolder security descriptor on this node.
AdminSDHolder is an Active Directory container which acts as a security descriptor template. The associated ProtectAdminGroups (not SDProp) background task runs on the domain controller holding the PDCe FSMO role. Any modifications made to the security descriptor of the AdminSDHolder container will be tattooed on the target node by the ProtectAdminGroups background task every hour, by default.
Any modifications to the AdminSDHolder node’s security descriptor via inbound Owns, WriteOwner, or
WriteDACL edges will propagate to all nodes with an inbound ProtectAdminGroups edge from the originating
AdminSDHolder node at the next run of the ProtectAdminGroups background task on the PDCe for the domain.The amount of time between ProtectAdminGroups run cycles defaults to 1 hour, but is controlled via a
registry key setting on the PDCe and can be as little as 1 minute or as much as 120 minutes.
Modifications to the AdminSDHolder security descriptor can be detected via SACLs if configured and ingested,
as can modifications to the security descriptor of any objects that AdminSDHolder protects.If auditing is properly configured in the environment, Event ID 4780 will be generated if the ProtectAdminGroups background task tattoos
the AdminSDHolder security descriptor on a protected object.
