AdminSDHolder: Security or Trouble?

Hello Folks,
Most of the times we wonder after setting permissions on some accounts that they are lost after specific period. To be exact with the "period" its 60 minutes. What causes this to revert to what it was?
"AdminSDHolder": is that what you said? You are 100% right then.
What is AdminSDHolder?
The adminSDHolder object is an object in the System (CN=adminSDHolder, CN=System, DC=domain-name, DC=com) container in each domain in the forest that is used as a template for ACLs on members of protected groups.
The PDCe role holder compares the ACL defined on each user object that is a member of a protected group with the ACL defined on the adminSDHolder object every sixty minutes. If the ACL on the user object is different to the ACL on the adminSDHolder object, the ACL on the user object is reset to that of the adminSDHolder object.

So what are protected groups?
Protected groups
All objects in Active Directory have an ACL. These ACLs can be changed by anyone with permissions to do so. By default, only administrators have the necessary permissions to do this, however Active Directory was designed to be scalable; to be used in large, disparate environments and to support many delegation scenarios.

When you delegate control to users and/ or groups (essentially set permissions on objects for these users and/ or groups) you increase the likelihood of giving non-administrative users permissions to modify attributes, permissions, etc. on administrative accounts. For example, consider the scenario in which a group is delegated control over an OU and in that OU resides several members of the domain admins group. Depending on the permissions defined on the OU, this group that have had permissions delegated to it could be able to change the members of the domain admins group.

This is where the protected groups come in - the ACL on any members of a protected group are reset every 60 minutes. This reset is made by the PDCe and the template that contains the ACL to reset the protected group members to is the adminSDHolder object. The reason for protected groups and the adminSDHolder object is so that the aforementioned delegation scenario cannot happen. It would be a grave security hole if any user with permissions to change group memberships on all user objects in an OU were to be able to modify the administrative users.


What groups are considered protected?
The following groups are classed as protected in Windows 2000 SP4 and Windows Server 2003.


Note. Prior to Windows 2000 SP4 this list was somewhat smaller, containing only Administrators, Domain Admins, Enterprise Admins, and Schema Admins.



Administrators

Account Operators

Backup Operators

Cert Publishers

Domain Admins

Enterprise Admins

Print Operators

Schema Admins

Server Operators

The Administrator and krbtgt user objects are also considered protected.