There is a process in Windows AD called AdminSDHolder which enforces permissions on  a certain set of groups. This has been painful for many customers  who have needed to delegate permissions to users who belong to these groups or unknowingly have users in a nested group  which is a member of a protected group via transitivity.

 

I have seen where LSASS CPU hits the roof because someone tossed 56k users in a group which belonged to the account operators and they didn’t realize this process existed.

 

Well, we published another one of those DCR’s  so folks can exclude some of these protected groups:

 

Account Operators

Server Operators

Print Operators

Backup Operators

 

You need to set the dsHeuristic  attribute located under CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domain,DC=com

 

See http://support.microsoft.com/kb/817433 for more info..

 

This isn’t a brand new release, it was done 4-6 months ago (cant recall exactly when) but I wanted to mention it since it may have slipped past your radar.

 

Spat