Every normal user should have an ACE that grants special permissions to the
Account Operators group on the user object. Members of protected groups like
Account Operators lack this ACE (and others). For example, if JSmith is a
normal user that has never been a member of a protected group, the JSmith
user object will have a ACE that grants Account Operators special
permissions on the object. However, if MWilson is made a member of Account
Operators, the ACE's will be replaced so that Account Operators no longer
has the additional permissions on the MWilson object. In other words, member
of Account Operators get additional permissions on all users except members
of protected groups (like Account Operators). I believe this is why people
recommend not using the group. Once you make someone a member of Account
Operators it's hard to restore the ACE's. The method I use is to create a
template user that is never a member of any protected group. I can restore a
user to the default permissions by copying the DACL from the template user
to the messed up user.

If you make MWilson a member of Account Operators, and they cannot manage
the JSmith object, then I would suspect that JSmith was once a member of a
protected group. Any users that do not have the ACE for Account Operators
may be in this boat. To be honest, the only solution I know of is to copy
the DACL as I suggested. If you need this, here is the VBScript program I
used to fix users in my test domain. The DN of the "template" user is hard
coded in the program. You pass the DN of the user to be "fixed" to the
program. If the messed up user had any special permissions, those are lost.
==========
' CopyDACL.vbs
' VBScript program to copy DACL from one user to another.
' Version 1.0 - May 29, 2008

Option Explicit

Dim strTemplateDN, strUserDN, objTemplateUser, objUser, objSecDescriptor

' Check for required argument.
If (Wscript.Arguments.Count < 1) Then
Wscript.Echo "Required argument <Distinguished Name> missing. " _
& "For example:" & vbCrLf _
& "cscript CopyDACL.vbs cn=TestUser,ou=West,dc=MyDomain,dc=com"
Wscript.Quit(0)
End If

' Bind to the user object with the LDAP provider.
strUserDN = Wscript.Arguments(0)
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User not found" & vbCrLf & strUserDN
Wscript.Quit(1)
End If
On Error GoTo 0

' Specify Distinguished Name of template user.
strTemplateDN = "cn=TemplateUser,ou=West,dc=MyDomain,dc=com"

' Bind to template user object.
Set objTemplateUser = GetObject("LDAP://" & strTemplateDN)

' Bind to the template user security descriptor object.
Set objSecDescriptor = objTemplateUser.Get("ntSecurityDescriptor")

' Update the user object with the template security descriptor.
objUser.Put "ntSecurityDescriptor", objSecDescriptor
objUser.SetInfo