Security Permissions Keep Dissappearing

Hmmm it looks is related to AdminSDHolder object. This means that at every hour, the Windows 2000 domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principals (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative groups against the ACL on the following object: CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com

If the ACL is different, the ACL on the user object is overwritten to reflect the security settings of the AdminSDHolder object (which includes disabling ACL inheritance). This protects these administrative accounts from being modified by unauthorized users if the accounts are moved to a container or organizational unit in which a user has been delegated administrative privilege for the modification of user accounts. Note that when a user is removed from the administrative group, the process is not reversed and must be manually changed.
 
Check this: http://support.microsoft.com/kb/232199

My fault for not saying in the question, but I did tag it. Our environment runs on Windows 2003 .. the solution you reference is for 2000.  

meugen is correct, the problem lays in the ADminSDHolder. This object in AD stores the permissions for Domain Admins in your domain. If you add permissions on a user who is a domain admin, once a hour your domain will reset it to look like the AdminSDHolder object again.

To fix, you will need to fix the permission on that object. Unfortunetly this object isnt a "User" object so it is hard to use the GUI to fix. You may need to use the DSACLS command.

That is true, it is the Domain Admin that is having Permissions reset. This all sounds right. It is just on the link for the fix it said for 2000 only. there is a DSACLS command built into 2003 however it is unclear how I would use it to clear up this problem.

A little more info: (i answer this question a lot)

https://www.experts-exchange.com/questions/23799108/AdminSDHolder-Blackberry-Enterprise-Server-on-Administrator-member.html

Ok, you've nailed it.. but I have a an issue.. This is what happens.
On the DC, I open command prompt. then type in teh following..
dsacls "cn=adminsdholder,cn=system,dc=Steerman,dc=com" /G "STEERMAN\Admin.Blackberry:CA;Send As"

It tells me "specified domain either does not exist or could not be contacted".  So I tried full Object name Steerman.Parkwood and got the same result.  is it because of the dc=com?

yah its something w/ your domain. Look in AD to verify if "Steerman.com" is listed as your Domain.

it's not a .com  domain is Steerman.Parkwood .. (this was created before I took over)

Ok. chnge the dsacls string to match...

dc=Steerman,dc=Parkwood

So I tried ... dsacls "cn=adminsdholder,cn=system,dc=Steerman,dc=ParkWood" /G "STEERMAN\Admin.Blackberry:CA;Send As"

And this is what I got (see attachment)

results.txt

Great! The command completed Successfully. Wait an hour for the permissions to get sent to your objects and lets see how we do!

Yeap.. everything seems to be working now thanks !! You're my hero...  ALthough now I'm having a MAPI issue for Blackberry Manager, I'll post that one seperately..

Thanks Again

Could you please mark my solution as the "Accepted" one rather than the "assisted" one? This will help other users find a solution easier when searching.