Microsoft Knowledge Base Article 232199 contains the following summary:
The information in this article applies only to upgrading
from Windows 2000 RC2 (or earlier builds) to the released version of Windows
2000. A change was made in Windows 2000 RC3 to the access control list (ACL) of
the AdminSDHolder Active Directory object. This object is used to control the
permissions of user accounts that are members of the built-in Administrators or
Domain Administrators groups.
Every
hour, the Windows 2000 domain controller that holds the primary domain
controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL
on all security principals (users, groups, and machine accounts) present for its
domain in Active Directory and that are in administrative groups against the ACL on
the following object:
CN=AdminSDHolder,CN=System,DC=MyDomain,DC=Com
Replace "DC=MyDomain,DC=Com" in this path with the distinguished name (DN) of your domain.
If the ACL is different, the ACL on the user object is
overwritten to reflect the security settings of the AdminSDHolder object (which
includes disabling ACL inheritance). This protects these administrative
accounts from being modified by unauthorized users if the accounts are moved to
a container or organizational unit in which a user has been delegated
administrative privilege for the modification of user accounts. Note that when
a user is removed from the administrative group, the process is not reversed
and must be manually changed.
NOTE: Using the following procedure is not required if you are
upgrading Microsoft Windows NT 4.0 to the released version of Windows 2000.