You have created a default user group.
You have added the default user group to the authorization roles of the appropriate user administrators.
Users with no user group for authorization assigned can be changed by any user administrator in the system. It is impossible to segregate responsibilities for such users. To avoid such situations, make the user group for authorization checks a required entry for new users. With this customizing option, you also define default user group, which the system automatically enters when you create a user.
This customizing is client-specific.
Use User Maintenance: Mass Changes (transaction SU10) to find users with an empty Group for Authorization field and assign appropriate groups.
Once the user group is required, if a user is missing a user group for authorization checks, you cannot change, lock, set the initial password, or even delete the user.
To assign a user-specific default user group to user administrators, maintain the user parameter S_USER_GRP_DEFAULT for the user administrators.
SAP Note 1663177 SU01: User group as required entry field