You want to modify the ACL for user accounts that are members of one of the administrative groups.

Using one of the methods described in Recipe 14.10, modify the ACL on the cn=AdminSDHolder,cn=Systems,<DomainDN> object in the domain the administrator accounts reside in. The ACL on this object gets applied every hour to all user accounts that are members of the administrative groups.

If you’ve ever tried to directly modify the ACL on a user account that was a member of one of the administrative groups in Active Directory, or you modified the ACL on the OU containing an administrative account and wondered why the account’s ACL was overwritten later, you’ve come to the right place. The Admin SD Holder feature of Active Directory is one that many administrators stumble upon after much grinding of teeth. However, after you realize the purpose for it, you’ll understand it is a necessary feature.

Once an hour, a process on the PDC Emulator, which I’ll refer to as the Admin SD Holder process, compares the ACL on the AdminSDHolder object to the ACL on the accounts that are in administrative groups in the domain. If it detects a difference, it will overwrite the account ACL and disable inheritance. If you later remove a user from an administrative group, you will need to reapply any inherited permissions and enable inheritance if necessary. The Admin SD Holder process will not take care of this for you.

The Admin SD ...