Why is it important to understand the AdminSDHolder propagation mechanism when assessing domain security?

The 60-minute automatic propagation means any ACL backdoor placed on AdminSDHolder re-applies even if a specific account’s ACL is manually cleaned, making it a stealthy persistence method. Attackers may combine this with token-based attacks like Penetration Techniques - Exploitation of net session in Windows. Understanding this helps defenders prioritize detection of AdminSDHolder changes over individual account audits.