You want to modify the ACL for user accounts that are members of one of the administrative groups.
Using one of the methods described in Recipe 14.10, modify the ACL on the cn=AdminSDHolder,cn=Systems,<DomainDN> object in the domain the administrator accounts reside in. The ACL on this object gets applied every hour to all user accounts that are members of the administrative groups.
If you've ever tried to directly modify the ACL on a user account that was a member of one of the administrative groups in Active Directory, or you modified the ACL on the OU containing an administrative account and wondered why the account's ACL was overwritten later, you've come to the right place. The Admin SD Holder feature of Active Directory is one that many administrators stumble upon after much grinding of teeth. However, after you realize the purpose for it, you'll understand it is a necessary feature.
Once an hour, a process on the PDC Emulator, which I'll refer to as the Admin SD Holder process, compares the ACL on the AdminSDHolder object to the ACL on the accounts that are in administrative groups in the domain. If it detects a difference, it will overwrite the account ACL and disable inheritance. If you later remove a user from an administrative group, you will need to reapply any inherited permissions and enable inheritance if necessary. The Admin SD Holder process will not take care of this for you.
The Admin SD Holder process is intended to subvert any malicious activity by a user that has been delegated rights over an OU or container that contains an account that is in one of the administrative groups. The malicious user could, for example, reset the password of the account and log in to the domain using that account, which would give him elevated privileges to do even more malicious things.
These are the groups included as part of the Admin SD Holder processing:
The Administrator and Krbtgt user accounts are also specifically checked during the Admin SD Holder process.
MS KB 232199 (Description and Update of the Active Directory AdminSDHolder Object), MS KB 306398 (AdminSDHolder Object Affects Delegation of Control for Past Administrator Accounts), and MS KB 817433 (Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled)