For an LDAP user, the only source of truth for group membership (outside of the default sonar-users) group is LDAP. That’s why a user will get plucked out of the sonar-administrators group upon logging in, because that group does not exist in LDAP.
I recommend creating a group in LDAP that will be granted the same permissions as the “sonar-administrators” group, and adding that group to the default permission template for projects / portfolios / applications. You may need to adjust permissions of already created components to give this new group permissions over those components.