The AdminSDHolder object updates security descriptors every 60 minutes.

To alter the frequency, use REG.EXE, built into Windows XP, and Windows Server 2003, or REG.EXE from the Windows 2000 Support Tools on the CD-ROM:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D <Number>

Where <Number> has an allowable range from 1 to 120 minutes.

Prior to SP4, the Windows 2000 protected groups were:

<b>• Administrators
• Domain Admins
• Enterprise Admins
• Schema Admins</b>
Windows Server 2003 and Windows 2000 SP4 protects:
<b>• Administrators
• Account Operators
• Backup Operators
• Domain Admins
• Cert Publishers
• Enterprise Admins
• Print Operators
• Schema Admins
• Server Operators</b>
NOTE: The Administrator and Krbtgt accounts are always protected.

NOTE: See Best Practices for Delegating Active Directory Administration.