In Active Directory default, a set of High-Privileged accounts and groups is created when you create your domain. They are often called Protected Groups/Users.
From the beginning at Windows 2000 Server there were four protected groups:
In Windows 2000 SP4 and Windows 2003 Server they added a bunch of Groups and two user accounts:
Cert Publishers (removed in Windows 2003 Server SP1)
And in Windows 2008 Server they added:
Read-Only Domain Controllers
And one last thing, in a hotfix for Windows 2000/2003 Server the ability to remove a few groups as protected groups was enabled:
This is done with the help of the dsHeuristic attribute flag.
So, what is so special to know about protected groups except that they have high privileges and the most of them should almost never be used?
Those who have a delegated Organizational Unit structure may have noticed that every hour the specific delegated rights disappear for some of the admins and create a headache. This is what this post is all about. The AdminSDHolder, SDProp and adminCount misunderstandings.