Domain: DFM is Windows 2008 and DCs run Windows 2008 SP2. Changes are made with either Server 2008 ADUC or Windows 7 ADUC.
I have several administrator accounts that are not inheriting delegated permission because the system is removing the "Include inheritable permissions from this object's parent" option. This usually occurs when the user account is a member of a critical group such as Backup Operators. As I understand it, if they are part of a critical group adminCount is set to 1 on the account. Then when the task Security Description Propagator (SDProp) runs it actually enforces the protection mechanism to remove the setting. I have checked the accounts with ADSIedit and AdminCount is set to 1. Changing it to 0 did not worked as the value changed back on its own.
With all that said, I cannot find a "critical group" these user are a member of. They had previously belonged to Domain Admins but were removed several months ago. I attempted to copy the account, as well as build a brand new one and add the same groups from scratch. In both cases they behaved the same; the check mark is removed and permissions do not inherent.
So I am thinking either one of these group has become critical and I am unaware of it or the accounts are "tattooed" from being in a critical group in the past. Any idea how to determine which it is and resolve it? Thanks!