I am finding some of the user accounts in our AD don't have all of the inheritable permissions on them. the main one missing is the "Account Operators" I did lots of research and fond that this could have been caused by the adminSDHolder issue from upgrading AD over time to win 2008 r2 and now running on windows servers 2012 r2. I have found that if I open the advance security tab and click "restore defaults" it fixes the issue. Now how do I automate this with a script to Identify all of the users that do not have the "Account Operators" on it then issue the restore defaults to it.
Thank you for any help