If you're asking what I think you're asking, you have a user with [Full Access] credentials who's able to modify settings in the Security dialog, but is being asked for a local [Full Access] account when he makes changes. If that's right, it's expected behavior.
Whenever you modify the settings in the Security dialog, FileMaker will always ask you to provide a local FileMaker account for confirmation. It won't use an eternally authenticated account for this purpose, even if you've logged in that way.
Because domain authentication can be spoofed. If an EA full access account could make changes to security and I can get a hand on one of your backups, I can just host the files on my own domain and have full access to your solution without knowing the full access local credentials.
The behavior you are seeing negates that.