How can an attacker enumerate protected AD accounts and groups to identify targets for AdminSDHolder exploitation?

Protected accounts have the `AdminCount` attribute set to 1. Attackers can list them using PowerView (`Get-NetUser -AdminCount`), Adfind (`Adfind.exe -f "...admincount=1"`), or the ActiveDirectory PowerShell module. The article notes that even objects moved out of protected groups retain `AdminCount=1`, so former privileged accounts can also be targets.