Invoke Active Directory SDProp Powershell

Invoke Active Directory SDProp Powershell

Hello,

Active Directory uses an internal process named SDProp for “Security Descriptor Propagation” to apply different ACLs on high privileges users or groups. The process copy the ACL from the AdminSDHolder to protect those users and groups. You can read a lot more information on a previous article of mine.

Active Directory SDProp

By default this process runs on the PDCe (Primary Domain Controller Emulator) every hour. You can change the frequency with a simple registry key:

HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

So you can use this PowerShell line to change the default value:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Value 60 -Name AdminSDProtectFrequency #In seconds

This is an example to set it to run every 60 seconds, I highly do not recommend this for production, it will hammer down your PDCe’s CPU.

Invoke Active Directory SDProp LDP

Microsoft provides a way to trigger this without changing the frequency with a very old tool named “ldp.exe”. You can find the procedure here, it’s not complicated, but it’s not PowerShell, so we can do better.

Invoke Active Directory SDProp Powershell

A while back I saw a PowerShell script posted on TechNet that used pure PowerShell to trigger SDProp, I created a function heavily inspired from Shane’s work.

The function is available on my GitHub repository.

I added the possibility to choose the task name to run. Indeed, legacy operating systems (pre 2008) used the “FixUpInheritance” and modern OS (2008 and later) use “RunProtectAdminGroupsTask” to trigger SDProp.

Invoke Active Directory SDProp Powershell - Example

Invoke Active Directory SDProp Powershell – Example

You can also use the help:

Get-Help Invoke-ADSDPropagation -ShowWindow
Invoke Active Directory SDProp Powershell - Help

Invoke Active Directory SDProp Powershell – Help

Or:

Show-Command Invoke-ADSDPropagation
Invoke Active Directory SDProp Powershell - Show-Command

Invoke Active Directory SDProp Powershell – Show-Command

Now, you can start a SDProp without using a two decades old ldp.exe!

Leave a Reply