If you removed a user from a AdminSDHolder protected group, their inheritance is not restored.

I have scripted Inherit_Perms.bat to enable inheritance ("Allow inheritable permissions from parent to propagate to this object") and to set their adminCount attribute to 0.

The syntax for using Inherit_Perms.bat is:

Inherit_Perms "distinguishedName" OK


"distinguishedName" is the distinguished name of the user, like "CN=John Doe,CN=Users,DC=JSIINC,DC=COM".                              OK                  is a call directed environment variable that will contain                                                  a Y if "distinguishedName" was found.                                                  a N if "distinguishedName" was NOT found.
Inherit_Perms.bat contains:
                              @echo off                              if \{%2\}==\{\} @echo Syntax: Inherit_Perms distinguishedName OK&goto :EOF                              setlocal                              if exist "%TEMP%\Inherit_Fix.vbs" goto doit                              @echo.Option Explicit>"%TEMP%\Inherit_Fix.vbs"                              @echo.Const SE_DACL_PROTECTED = ^&H1000>>"%TEMP%\Inherit_Fix.vbs"                              @echo.Dim objADObject, objSD, intSDC, objArguments, user>>"%TEMP%\Inherit_Fix.vbs"                              @echo.Set objArguments = Wscript.Arguments>>"%TEMP%\Inherit_Fix.vbs"                              @echo.user="LDAP://" ^& objArguments(0)>>"%TEMP%\Inherit_Fix.vbs"                              @echo.On Error Resume Next>>"%TEMP%\Inherit_Fix.vbs"                              @echo.Set objADObject = GetObject(user)>>"%TEMP%\Inherit_Fix.vbs"                              @echo.Wscript.Echo objADObject.distinguishedName>>"%TEMP%\Inherit_Fix.vbs"                              @echo.Set objSD = objADObject.Get("ntSecurityDescriptor")>>"%TEMP%\Inherit_Fix.vbs"                              @echo.intSDC = objSD.Control>>"%TEMP%\Inherit_Fix.vbs"                              @echo.If (intSDC And SE_DACL_PROTECTED) Then>>"%TEMP%\Inherit_Fix.vbs"                              @echo.    intSDC = intSDC Xor SE_DACL_PROTECTED>>"%TEMP%\Inherit_Fix.vbs"                              @echo.End If>>"%TEMP%\Inherit_Fix.vbs"                              @echo.objSD.Control = intSDC>>"%TEMP%\Inherit_Fix.vbs"                              @echo.objADObject.Put "ntSecurityDescriptor", objSD>>"%TEMP%\Inherit_Fix.vbs"                              @echo.objADObject.Put "adminCount", "0">>"%TEMP%\Inherit_Fix.vbs"                              @echo.objADObject.SetInfo>>"%TEMP%\Inherit_Fix.vbs"                              :doit                              set user=%1                              set user="%user:"=%"                              set fnd=N                              set OK=Y                              for /f "Tokens=*" %%a in ('cscript //nologo "%TEMP%\Inherit_Fix.vbs" %user%') do (                               set fnd="%%a"                              )                              if /i %user% NEQ %fnd% set OK=N                              endlocal&set %2=%OK%