Active Directory inheritance not working as expected

The authenticated users in child1 are not there due to inheritance, they were added directly to the object. Probably you chose to copy the rights after removing the inheritance or they were there before.

You can see it, because the checkbox is not grey (right from authenticated users).

It's a bit late, considering when this question was posted, but I came across the same issue/question and thought it could be useful to post this. I had blocked inheritance on an OU, removed Authenticated Users, and when I created a new object (such as a group), Authenticated Users was added to the DACL for that group. See this doc

This is due to the default permissions applied to an object, which can be checked doing the following (this is a bit quick and dirty, but did the job for me):

1. Open adsiedit.msc
2. Navigate to object (such as CN=Organizational-unit)
3. Copy the defaultSecuritydescriptor value (which is an SDDL string)

4. Convert SDDL string to human readable ACEs (in PowerShell):

   $oldSddl = "insert value you copied in Step 3” 
   $ACLObject = New-Object -TypeName System.Security.AccessControl.DirectorySecurity 
   $ACLObject.SetSecurityDescriptorSddlForm($oldSddl) 
   $ACLObject.Access
   

Code was from this source

In theory could then replace this SDDL string (using a method, such as described in this article) and then paste this over the value from step 3. The usual caveats would apply about testing in test environment, having proper backups, etc, etc.