Modify Security Descriptor of Domain Admins #
Remember: it will be overwritten after SDProp runs, and you will lose the privileges.
How do you maintain them? Add yourself to the AdminSDHolder container.
Modify the Security Descriptor of the Domain Admins group to give a user full control over it.
This will grant full permission over the group, allowing you to add members to it.
$acl = Get-Acl -Path '<DN of Domain Admins>'
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("<SAM Account Name of user>","<Rights>","Allow")
$acl.SetAccessRule($AccessRule)
Have a look at the ActiveDirectoryAccessRule Class
Have a look at the ActiveDirectoryAccessRule Constructors
Have a look at the possible access rights