This may take a bit to explain so bear with me here.
My journey started with moving to Exchange 2010 and wanting to have direct push still work on my phone. In order for direct push to work, under the advanced settings in AD, in the security tab->advanced I must have "Allow Inheritable permissions..." checked. However, if you're a domain admin you cannot have this, the system automatically unchecks that. As a result, I had to remove myself from domain admins and act as a normal user like MS wants us all to do.
I quickly found out,I couldn't manage users like I needed to because I was no longer a local admin on their machines or on the servers. So, I created a Restricted Group setting in the Group Policies that added a group called "IT Admins" to "Administrators" in the group policy. I did this on the whole domain and not just the container for the workstations because I wanted to be the local admin on servers as well.
When I did this, I notice after the GPO has propagated to everyone, the group "IT Admins" is now also in the builtin\Administrators group on the domain. As a result, My personal user through trickle-down has the "Allow Inheritable permissions..." checkbox turned off.
Now, after a week of this setting, I am still getting push e-mail just fine, so far. However, I'm curious how to stop the "IT Admins" user from being put in the domain "Administrators" group. I only want it in the local. Is it because I have the GPO applied to the whole domain and thus the AD servers who don't have local groups simply add it to the domain administrators group?