In Active Directory, certain users permissions can break inheritance. Their security settings can be changed so that they do not follow the OU (organizational unit) that they are a part of. In cases like these permissions issues can become confusing and difficult to track down.
In order to find them across all of your Active Directory, you can run a simple PowerShell command can be run:
Get-ADUser -Filter 'enabled -eq $true' -Properties ntSecurityDescriptor | Where-Object { $_.ntSecurityDescriptor.AreAccessRulesProtected }
LiteFoote 