AdminSDHolder #
Adding a user to this container’s Security Descriptor will add permissions for that user over all the Protected Groups.
Note: User will not become a member of the groups, but it will have an entry in the “Security” tab of the objects. That means you can make changes to the groups, not have the rights of the groups.
I will research a way that this can be done with pure PowerShell (if possible), in the meantime I will put here how to do it with PowerView.
Add-DomainObjectAcl -TargetIdentity '<DN of AdminSDHolder>' -PrincipalIdentity <SamAccountName to add> -Rights <Rights> -PrincipalDomain <FQDN of domain> -TargetDomain <FQDN of domain> -Verbose
SDProp runs every hour, we can wait or force it to immediately propagate the new user rights.