Originally Posted by soupandsandwich
Those particular problematic users are likely part of an AD group with elevated permissions. (Domain Admin?)
They are members of Domain Admin and Enterprise Admin. One of them is the Administrator, which needs to be a member of both.
As BES users, they can't (and shouldn't) be members of either group.
Very dangerous for an admin to running as an admin all the time. That's bad security practice.
You should be following the principle of least privilege.
Get them out of the special groups.