What is the AdminSDHolder object and why is it a target for privilege persistence in Active Directory?

AdminSDHolder is a special AD container that acts as a template for protected accounts and groups, like Domain Admins. Every 60 minutes (by default), the domain applies its ACL to all protected objects, so if an attacker modifies the AdminSDHolder ACL, they gain persistent high privileges over these accounts. This technique is covered in detail in the article Domain Penetration - AdminSDHolder.