Many people should know the object AdminSDHolder and what it does by now. It checks and reverts back protected group's ACL periodically, if found modified. This is a desirable feature (if you know how it works otherwise you will really be surprised). However, on the top of the above knowledge, it's also tricky to get a user's permission changed if he is a former member of protected group.
For example, if John was Domain Admin and later became a normal user. You will find out that John's permission still gets reverted periodically. This is very hard to figure if you didn't know the history of John's account. To correct this, two things need to be done before permissions can be changed.
1. Change adminCount's value to 0
2. Enable "inheritance"