The AdminSDHolder object rolls back to accounts that are part of a protected group, such as the Enterprise Admins group. The AdminSDHolder SDProp process watches for manual changes to protected accounts and overwrites them with a known-good permission set. However, sometimes you might like to enable a certain group—for example, to give a group of security administrators in the organization the ability to make changes to accounts protected by the AdminSDHolder object.
To delegate permissions, you need to change them on the AdminSDHolder object itself by using the ADSI Edit tool. Begin by opening ADSI Edit and connect to the Default naming context. Within the Default naming context, expand the DC to find CN=System.
Right-click CN=AdminSDHolder and select Properties. On the Properties sheet, click the Security tab to reveal the security for the object (see Figure 4-15).

70-413-fm48

FIGURE 4-15 Security attributes on the CN=AdminSDHolder object

Clicking Advanced reveals the Advanced Security Settings dialog box, as shown in Figure 4-16. Click Enable Inheritance in this dialog box and then click Apply.

70-413-ff67

FIGURE 4-16 Advanced Security Settings for the CN=AdminSDHolder object.
Next, click Add. In the Permission Entry dialog box, select a principal that will obtain the permissions and then set the permissions themselves. For example, Figure 4-17 shows the Permission Entry dialog box with a group called the Rapid Response Team chosen as the principal.
This group then is granted Full Control.

70-413-ff68

FIGURE 4-17 Delegating Full Control on AdminSDHolder to a group.
When the SDProp process executes again (by default every hour), these permissions are applied, and the Rapid Response Team gains Full Control over AdminSDHolder-managed objects.