@echo off

:: your ldap base
set LDAPBASE=dc=test,dc=dom

Call :FixACLs "cn=builtin,%LDAPBASE%"
Call :FixACLs "ou=Domain controllers,%LDAPBASE%"
for /F "delims=;" %%i in ('dsquery * "ou=domain controllers,%LDAPBASE%"') do Call :FixACLs %%i

Call :FixACLs "cn=administrators,cn=builtin,%LDAPBASE%"
Call :FixACLs "cn=domain admins,cn=users,%LDAPBASE%"
Call :FixACLs "cn=Enterprise Admins,cn=users,%LDAPBASE%"
Call :FixACLs "cn=Schema Admins,cn=users,%LDAPBASE%"
Call :FixACLs "cn=Domain controllers,cn=users,%LDAPBASE%"
for /F "delims=;" %%i in ('"dsquery group -name Administrators | dsget group -members -expand"') do Call :FixACLs %%i
for /F "delims=;" %%i in ('"dsquery group -name Enterprise" "Admins | dsget group -members -expand"') do Call :FixACLs %%i
for /F "delims=;" %%i in ('"dsquery group -name Domain" "Admins | dsget group -members -expand"') do Call :FixACLs %%i
for /F "delims=;" %%i in ('"dsquery group -name Schema" "Admins | dsget group -members -expand"') do Call :FixACLs %%i
for /F "delims=;" %%i in ('"dsquery group -name Domain" "Controllers | dsget group -members -expand"') do Call :FixACLs %%i

Call :FixACLs "cn=krbtgt,cn=users,%LDAPBASE%"

:: Need this ????
Call :FixACLs "cn=dns-s4dc,cn=users,%LDAPBASE%"

Echo End
pause
Goto EndOfScript

:FixACLs
dsacls %1 /R "BUILTIN\Account operators" > NUL && echo OK: %1 || echo BAD: %1

:EndOfScript