I'm using LDAP and assigning all users to a default group when they log in. This default group is a member of the Contributor group but does not have permissions to view parts of the homescreen. All users are a member of this group and get added to other groups based on the permissions they need. However, if I add a user to the administrators group, their permissions get overridden by this default group after a few hours.
How do I permission the default group so that the administrators group takes precident? Is it a better practice to allow admin users to impersonate admin rather than put them in the administrators group?