 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the processes inside Active Directory that refresh and reset the permissions on important privileged security principles. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. Active Directory contains a default set of highly privileged accounts and groups that are protected by special processes. These processes ensure that if somebody manually changes a protected object's permissions, those permissions are returned to their defaults quickly. In this video, you'll learn about which accounts and groups are protected in Active Directory in this manner and how you can trigger the process to revert permissions manually rather than waiting for the next refresh to occur. The following privileged groups and accounts have their default assigned rights and permissions reset periodically. Account operators, administrator, administrators, backup operators, domain admins, domain controllers, enterprise admins, KRBTGT, print operators, read-only domain controllers, replicator, schema admins, server operators. Important to note is that whilst these accounts and groups have their permissions reset periodically, the membership of these protected groups will not be reset unless you are using restricted groups policies. The purpose of the Admin SD Holder object is to provide template permissions for the protected accounts and groups in the domain. Admin SD Holder is automatically created as an object in the system container of every Active Directory domain. The image in the video displays the permissions assigned to Admin SD Holder. You can view these by examining the properties of the Admin SD Holder object after turning on the advanced features option of Active Directory users and computers. If you suspect these permissions have been modified, you can use the restore defaults button to return permissions to the default configuration. Unlike most objects in the Active Directory domain, which are owned by the administrator's group, Admin SD Holder is owned by the domain admins group. By default, enterprise admins can make changes to any domain's Admin SD Holder object as can the domain's domain admins and administrators groups. Additionally, although the default owner of Admin SD Holder is the domain's domain admins group, members of administrators, enterprise admins can take ownership of the object. As discussed in previous videos on this channel, you should restrict membership of enterprise admins and domain admins groups as shamanigans often ensue when there are too many overprivileged accounts in an ADDS forest. SDPROP is a process that runs every 60 minutes by default on the domain controller that holds the domain's PDC emulator FS in my role. SDPROP compares the permissions on the domain's Admin SD Holder object with the permissions on the protected accounts and groups in the domain. If the permissions on any of the protected accounts and groups do not match the permissions on the Admin SD Holder object, the permissions on the protected accounts and groups are reset to match those of the domain's Admin SD Holder object. Additionally, permissions inheritance is disabled on protected groups and accounts, which means that even if the accounts and groups moved to different locations in the directory, they do not inherit permissions from their new parent objects. Inheritance is disabled on the Admin SD Holder object so that permission changes to the parent objects do not change the permissions of Admin SD Holder. If you need to change the SD Prop Interval on the DC that hosts the PDC emulator role, use Rejetter to add or modify the Admin SD Protect Frequency DWORD value in the HKLM system. Current Control Set Services in TDS parameters section of the registry. The range of values you can configure is in seconds between 60 to 7200, one minute to two hours. To revert any changes you have made, delete the Admin SD Protect Frequency key which will cause SD Prop to revert back to the 60 minute interval. Reducing this interval below 60 minutes in production domains can increase LSAS processing overhead on the domain controller. Rather than modifying this setting you can run a SD Prop manually. You might do this after resetting the permissions assigned to Admin SD Holder to the defaults. You can run a SD Prop manually using the LDP.EXE utility. When you do this it will not impact scheduled execution. To do this perform the following steps. Launch LDP.EXE. In the LDP dialog box click Connection and click Connect and specify the name of the domain controller that holds the PDC emulator role. Verify that you have connected successfully as indicated by DN root DSE being displayed. Click Connection and click Bind. Once the connection is established click Browse and click Modify. In the Modify dialog box leave the DN field blank. In the Edit Entry Attribute field type Run Protect Admin Groups task and in the Values field type 1 click Enter to populate the entry list. In the Populated Modify dialog box click Run. This triggers SD Prop and the permissions configured on Admin SD Holder will be applied to protected objects. In this video you learned about the special protected user and group objects in Active Directory, the Admin SD Holder object that holds the template copy of those objects permissions and the SD Prop process that refreshes these permissions on an hourly basis. The advice in this video is drawn from the article linked in the video description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture but will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. We are interested in hearing about your experiences as an ADDS administrator. Is there any ADDS security or Windows Server related topics you'd like us to cover in a future video? If so, provide your suggestion in the comments. I hope you found this video useful and informative. My name is Oren Thomas, you can find me at aka.ms slash oren and if you've got any questions or feedback drop a comment below.