This rule detects modifications to the dsHeuristics attribute that control which groups are excluded from the Security Descriptor Propagation (SDProp) process in Active Directory. The SDProp process ensures that the permissions on protected objects align with those defined in the AdminSDHolder object. If a group is excluded by setting the relevant bit (16th bit) in the dsHeuristics attribute, it can lead to a configuration that allows attackers to maintain persistent access by manipulating these privileged accounts without being subject to the same permission checks. The rule triggers when the 16th bit of the dsHeuristics attribute is set to a non-zero value, indicating a possible security breach. Investigation steps are provided to identify the user who made the change and whether they should have permission to do so, while also detailing the potential implications and remediation steps to restore security. The risk associated with this modification is marked high, and adherence to the guideline is crucial in maintaining security protocols within the Active Directory environment.