What are the steps to add an ACL for a user to the AdminSDHolder object to gain domain admin privileges?

Using PowerView, an attacker runs `Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName testa -Rights All`. After the default 60-minute propagation (adjustable via registry), `testa` obtains full control over all protected groups, enabling actions like adding accounts to Domain Admins. See the exploitation section in Domain Penetration - AdminSDHolder and understand Penetration Techniques - Access Control List in Windows for ACL basics.