We have 25 plugins activated at the network level, which I can list if you need them. And of course blog-by-blog they vary.
But I've found a pattern.
There are three different places you can modify a user, at the network level, at the blog level, or at the "edit site" level.
If a user is NOT registered with a role on the root site, they can't be edited from the network level. I tested user A, who was an administrator on many sub-blogs but had no role on the root site. I couldn't edit her, but then made her a subscriber on the root site, and I could. At the network level.
Even if a user has a role on the network, if they are an administrator they cannot be edited on the blog level. So user A, even after I added her to the root site, could not be edited from the users screen on the blog level.
These users cannot be modified from the Edit Site::Users screen either, BUT it's possible to change their role using the checkbox/dropdown tools.
The problem also holds for a custom role I set up called SafeAdministrator. The image at
shows the permission set.
Hopefully this will help you experiment on one of your own setups.