Had a strange behaviour while editing some AD-Objects with a service account. Some objects were editable and some werde not…
I found some differences in the ACL of the objects – some objects applied inherited rights while others didn’t.
I was able to compare the acl entries with this tool:
dsacls "\\ADSERVER\CN=Doe John,OU=Some OU,OU=Some ohter OU,DC=Domain,DC=LOCAL"
Piping the output to a textfile and compare the textfiles, using windiff for instance.