In Active Directory default, a set of High-Privileged accounts and groups is created when you create your domain. They are often called Protected Groups/Users.
From the beginning at Windows 2000 Server there were four protected groups:
Administrators
Domain Admins
Enterprise Admins
Schema Admins
In Windows 2000 SP4 and Windows 2003 Server they added a bunch of Groups and two user accounts:
Administrator
Krbtgt
Backup Operators
Cert Publishers (removed in Windows 2003 Server SP1)
Domain Controllers
Print Operators
Replicator
Server Operators
Account Operators
And in Windows 2008 Server they added:
Read-Only Domain Controllers
And one last thing, in a hotfix for Windows 2000/2003 Server the ability to remove a few groups as protected groups was enabled:
Account Operators
Server Operators
Print Operators
Backup Operators
This is done with the help of the dsHeuristic attribute flag.
http://support.microsoft.com/?id=817433
So, what is so special to know about protected groups except that they have high privileges and the most of them should almost never be used?
Those who have a delegated Organizational Unit structure may have noticed that every hour the specific delegated rights disappear for some of the admins and create a headache. This is what this post is all about. The AdminSDHolder, SDProp and adminCount misunderstandings.