We had some really weird issues going on delegating permissions to certain users within Active Directory. Basically, when we would assign them some rights, the rights would just disappear for no rhyme nor reason. What we discovered was Protected Groups. I'm not going to try to explain it, because I don't completely understand it (here's someone much more intelligent doing so on Technet), but I'm going to tell you how to fix it!
The jist of it is that you can't delegate stuff to a user account that is a member of a protected group. Complicating matters is that when you remove someone from a protected group, the setting does not change! You have to go into ADSIEdit and change the AdminCount property on the user's AD object from 1 to 0 manually. Well, you could script that too, but I only had this happen with a few users so I didn't bother with that.
WHY we ran across this is that we had removed some user accounts from the Domain Admins group and had issues with delegating in Exchange. I hear it's a problem with Lync, too, but we don't run that. Again, simply removing someone from the protected group (Domain Admins in this example) does not change the setting. It also bears mentioning that nesting counts. So if User A is a member of a group that's a member of Domain Admins, their AdminCount value will change to 1.
The following commands must be performed inside an Active Directory Powershell Session.
To find which groups are protected, use this command:
Get-ADGroup -LDAPFilter "(objectcategory=group)(admincount=1)" | select name | sort name
To find out which users are protected, use this:
Get-ADUser -LDAPFilter "(objectcategory=person)(samaccountname=*)(admincount=1)" | select name
So what you have to do is get the list of protected users, then cross out any users that are direct or indirect members of the protected groups. The users that remain are unjustly protected. To resolve, simply change the AdminCount value on the remaining users.
Here's a handy function I ran across to get nested group memberships (shout out to Piotr Lewandowski for that).
The protected groups by default include:
Read-only Domain Controllers