In AD when selecting properties for a user or group with advanced features checked under view, this enables a security tab. We have users in this tab that can change passwords and reset passwords. Where are these users defined to have these permissions? We have a desktop admins group but the user has been removed. I am not sure if that is where they get the permissions from, just thought I would mention that. I would like to remove a few of the users but they are in every user/group.
Running 2008 R2 domain/forest.