Invoke Active Directory SDProp Powershell
Hello,
Active Directory uses an internal process named SDProp for “Security Descriptor Propagation” to apply different ACLs on high privileges users or groups. The process copy the ACL from the AdminSDHolder to protect those users and groups. You can read a lot more information on a previous article of mine.
Active Directory SDProp
By default this process runs on the PDCe (Primary Domain Controller Emulator) every hour. You can change the frequency with a simple registry key:
HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\ParametersSo you can use this PowerShell line to change the default value:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Value 60 -Name AdminSDProtectFrequency #In secondsThis is an example to set it to run every 60 seconds, I highly do not recommend this for production, it will hammer down your PDCe’s CPU.
Invoke Active Directory SDProp LDP
Microsoft provides a way to trigger this without changing the frequency with a very old tool named “ldp.exe”. You can find the procedure here, it’s not complicated, but it’s not PowerShell, so we can do better.
Invoke Active Directory SDProp Powershell
A while back I saw a PowerShell script posted on TechNet that used pure PowerShell to trigger SDProp, I created a function heavily inspired from Shane’s work.
The function is available on my GitHub repository.
I added the possibility to choose the task name to run. Indeed, legacy operating systems (pre 2008) used the “FixUpInheritance” and modern OS (2008 and later) use “RunProtectAdminGroupsTask” to trigger SDProp.
Invoke Active Directory SDProp Powershell – Example
You can also use the help:
Get-Help Invoke-ADSDPropagation -ShowWindow
Invoke Active Directory SDProp Powershell – Help
Or:
Show-Command Invoke-ADSDPropagation
Invoke Active Directory SDProp Powershell – Show-Command
Now, you can start a SDProp without using a two decades old ldp.exe!