Understanding AdminSDHolder and Protected Groups
Posted by Awinish on March 1, 2011
If you have faced an issue, where you add a domain user to a protected group like administrators,domain admins, enterprise admins, schema admins, account operator etc. & after an hour or so membership disappears & you are scratching your head who did it. You start your findings & come to know its “AdminSDHolder” which reside in system partition reset the ACL to preserver the protected group from misuse & its built-in function. You can disable the automatic reset of permission on protected/built-in groups, but i would say you are inviting security flaws in your environment.
If you want to understand the details of AdminSDHolder & its working, take a look at below posted link. MVP John Policelli on has explained in-depth on his blog & i thought sharing it to readers on my blog too.
Five common questions about AdminSdHolder and SDProp