i found it: somewhere several "allow from"s where hidden behind includes of includes and bypassed the user specific things ... I hope, whoever did all that to the system has retired meanwhile ... grmpf ...
the admin page behind this server was completely open to any domain user (several thousands).