There is a process in Windows AD called AdminSDHolder which enforces permissions on a certain set of groups. This has been painful for many customers who have needed to delegate permissions to users who belong to these groups or unknowingly have users in a nested group which is a member of a protected group via transitivity.
I have seen where LSASS CPU hits the roof because someone tossed 56k users in a group which belonged to the account operators and they didn’t realize this process existed.
Well, we published another one of those DCR’s so folks can exclude some of these protected groups:
You need to set the dsHeuristic attribute located under CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Domain,DC=com
See http://support.microsoft.com/kb/817433 for more info..
This isn’t a brand new release, it was done 4-6 months ago (cant recall exactly when) but I wanted to mention it since it may have slipped past your radar.