Hi,
If the adminCount attribute on a user is set to 1, we can assume it is (or was at some point in the past) a member of a protected group and affected by the AdminSDHolder role.
You can check the adminCount attribute on a user in ADUC (with advanced features enabled) or ADSIEdit.
Or use a powershelll command to get the list of all protected groups in an Active Directory Domain :
Get-ADGroup –LDAPFilter “(admincount=1)”
Based on my research, if you wan to prevent a a user or a group from being affected from the protected groups, you must remove them from the protected groups and you must manually set back to allowing inheritance and set AdminCount to 0, usually through ADSI.
Following links for your reference:
https://social.technet.microsoft.com/wiki/contents/articles/22331.adminsdholder-protected-groups-and-security-descriptor-propagator.aspx
https://learn.microsoft.com/en-us/archive/blogs/askds/five-common-questions-about-adminsdholder-and-sdprop