According to every article I've read, the "Domain Controllers" group is protected by AD. The group does in fact have adminCount set to 1. The same applies to the "Read-only Domain Controllers" group.
However the members are of course domain controllers, none of which have adminCount set and the ACL does not match AdminSDHolder. (I know that if the ACLs already match, adminCount is not necessarily set to 1 when the check runs)
I see other computer objects (with adminCount=1) that are being protected, so it's not that computer objects are excluded. It just does not seem to apply to any domain controllers, even though the groups they're in are protected.
What am I missing here?
Andreas