(In reply to Denis Cardon from comment #0)
Dear Denis,
considering AdminSDHolder changes adminCount to 1 on AD and that can be seen in ADSI edit for user object.

Or SDPROP(Security Descriptor Propagation) got automatically activated after 60 minutes on the PDC emulator of the Active Directory domain and update adminCount value of every security objects by AdminSDHolder code. adminCount is set to 1.

on samba adminCount to be updated on running getent or id for user?

(In reply to Amit Kumar from comment #1)
G'Day Amit,

Denis is raising the fact that Samba AD does not implement this Windows AD feature. 

This is a reasonable feature request.

here's a very good related article on this topic, German only though:
https://www.msxfaq.de/konzepte/adminsdholder.htm

also various Microsoft Exchange versions seems to require AdminSDHolder functionality.

I have updated the title of this entry as the core issue is the lack of SDProp implementation. 

SDProp is a cronjob that runs on the PDC that will look for all the privileged accounts (domain admins, entreprise admins, etc.) and will: 
* set the adminCount attribute to 1 if unset 
* apply the SDAdminHolder ACL on the entry to disable ACL inheritance and set strict ACL on the entry to avoid account takeover through delegation

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory

https://techcommunity.microsoft.com/blog/askds/five-common-questions-about-adminsdholder-and-sdprop/396293

https://secureidentity.se/adminsdholder-pitfalls-and-misunderstandings/

I think the easiest way to deal with this feature would be to have a python script samba_sdprop like we already have samba_kcc that would be called by samba process on a regular basis. 

samba sdprop command = /usr/sbin/samba_sdprop
samba sdprop frequency = 3600 # in seconds MS value range : 60-7200s.