Consider the following scenario...
1. Protect an AD user (all attributes).
2. Via ADUC select the users's properties | member of tab.
3. Add the user to a new group.
4. Click 'apply'
5. Receive error, "The following active directory domain services error occurred: insufficient access rights to perform the operation.". Click OK.
6. Click cancel
7. View user properties | member of tab once again and find user is added to group even though the error above was produced.
8. Find all events in CA reported as 'Success' events.
-next-
9. Via ADUC select the users's properties | member of tab.
10. Remove the user from the recently added group.
11. Click 'apply'
12. Receive error, "The following active directory domain services error occurred: insufficient access rights to perform the operation.". Click OK.
13. Click cancel
14. View user properties | member of tab once again and find user was not removed from the group (works as expected).
15. Find no events reported in CA.