PowerShell
Edit|Remove
Start-Transcript -Path c:\temp\adminSDholder-cleanup.log -Append  
 
 
 
function ResetAccount($dn){ 
    write-host "Removing AdminCount attribute...  " -NoNewline 
    try{ 
        Get-ADObject $dn  | set-adobject -Remove @{admincount=1}  
        Write-Host "OK" -ForegroundColor Green 
    } 
    catch{ 
        Write-Host "Failed." -ForegroundColor Red 
        Write-Host $_ -ForegroundColor DarkRed 
    } 
 
    write-host "Resettings ACL... " -NoNewline 
    try{ 
        $acl = Get-ACL -Path "AD:\$dn" 
        $acl.SetAccessRuleProtection($False,$True) 
        Set-Acl -Path "AD:\$dn" -AclObject $acl 
        Write-Host "OK" -ForegroundColor Green 
    } 
    catch{ 
        Write-Host "Failed." -ForegroundColor Red 
        Write-Host $_ -ForegroundColor DarkRed 
    } 
} 
 
 
"Retrieving data from ActiveDirectory..." 
$accList = Get-ADObject -filter 'AdminCount -eq 1 -and isCriticalsystemObject -notlike "*"' -properties *  
$adminGroupList = get-adgroup -filter 'admincount -eq 1 -and iscriticalsystemobject -like "*"'| select -ExpandProperty distinguishedName 
 
"Found $($accList.count) accounts with AdminCount=1" 
$counter=0 
$orphanList = @() 
 
foreach($acc in $accList ){ 
    $counter++ 
    write-host "Processing account $($acc.Name) ($counter of $($accList.count))..." -NoNewline 
    $dn = $acc.DistinguishedName 
    $memberOf = Get-ADgroup -Filter {member -RecursiveMatch $dn}  
    foreach$group in $memberOf ){ 
        $isAdmin = $adminGroupList.Contains($group.DistinguishedName) 
        if ( $isAdmin ){ break } 
    } 
    if ( $isAdmin ){ 
        Write-Host "member of admin group" -ForegroundColor Green 
    } 
    else{ 
        $orphanList +$acc 
        Write-Host "not member in any admin groups" -ForegroundColor Yellow 
    } 
} 
 
"Fant $($orphanList.count) ikke-admin kontoer som er beskyttet med adminSDholder ACL" 
foreach$acc in $orphanList ){ 
    if (( Read-Host "Reset security descriptor for account '$($acc.Name)'?" ) -eq "y" ){ 
        ResetAccount $acc.DistinguishedName 
    } 
} 
 
 
Stop-Transcript
 

This powerShell script will scan current ActiveDirectory domain for accounts that are no longer members of any privileged admin group but still have AdminCount attribute set (AdminCount=1)  and then let you remove AdminCount attribute and reset ACL to its default value.

For more information about adminSDholder, AdminCount see https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx