Skip to content

Protected Accounts and Groups in Active Directory: A Guide for IT Professionals

Protected Accounts and Groups in Active Directory A Guide for IT Professionals

Protected Groups in Active Directory

In the evolving landscape of cybersecurity, protecting critical infrastructure such as Active Directory (AD) is paramount. At USAT Inc., we emphasize advanced technologies and best practices to safeguard your digital assets. A critical aspect of AD security involves managing protected accounts and groups, as outlined by Microsoft.

Overview of Protected Accounts and Groups

Active Directory contains a set of default, highly privileged accounts and groups known as protected accounts and groups. These include:

  • Administrators
  • Domain Admins
  • Enterprise Admins
  • Schema Admins
  • Account Operators
  • Backup Operators
  • Print Operators
  • Server Operators
  • Read-only Domain Controllers
  • Replicator
  • Krbtgt

These accounts and groups have elevated privileges that, if compromised, could lead to significant security breaches.

AdminSDHolder and SDProp: Key Security Mechanisms


  • Acts as a template for permissions on protected accounts and groups.
  • Located in the System container of every AD domain.
  • Ensures consistent application of security settings, even if objects are moved within AD.


  • A process that runs every 60 minutes by default.
  • Compares permissions on the AdminSDHolder object with those on protected accounts and groups.
  • Resets any altered permissions to match the AdminSDHolder settings, maintaining security integrity.

Modifying SDProp Interval

While typically unnecessary, adjusting the SDProp interval is possible for testing purposes. This can be done via the registry on the domain controller holding the PDC Emulator role. However, frequent adjustments in production environments are discouraged due to potential performance impacts.

Running SDProp Manually

For immediate testing of AdminSDHolder changes, SDProp can be manually executed using tools like Ldp.exe. This allows for verification of permission settings without altering the scheduled execution.

Best Practices for Managing Protected Accounts

  1. Regular Audits: Perform routine audits of permissions on protected accounts and groups.
  2. Minimal Access: Limit membership in highly privileged groups to essential personnel only.
  3. Monitoring: Implement continuous monitoring for any changes to these accounts and groups.
  4. Automation: Utilize automated processes like SDProp to enforce consistent security policies.

By adhering to these best practices, organizations can significantly enhance their Active Directory security posture, protecting critical systems from potential threats.

For more detailed guidance on managing protected accounts and groups in Active Directory, visit the Microsoft documentation.

At USAT Inc., we specialize in leveraging advanced technologies to create robust security frameworks. Contact us to learn how we can help fortify your IT infrastructure against evolving threats.


Also Read: