The type of modification made to the runProtectAdminGroupsTask attribute and the values specified in the LDAP Modify operation have no significance. If the DC is the PDC FSMO role owner, an LDAP Modify of the runProtectAdminGroupsTask attribute causes the DC to run the AdminSDHolder protection operation (section 220.127.116.11.1). Otherwise, the Modify request does not have any effect. The requester must have the "Run-Protect-Admin-Groups-Task" control access right on the domain root of the DC. The LDAP server returns success after the AdminSDHolder operation has completed.
An LDIF sample that performs this operation is shown as follows.
dn: changetype: modify add: runProtectAdminGroupsTask runProtectAdminGroupsTask: 1 -