Graham
..as far as i understood the capabilities issue (..and i'd be glad for some guru approvement : ) :
Question 1:
it's not that "all users always have the authenticated user" but": each user that assigned at lower context level (not at the front page) will always get a list of the capabilities defined for the authenticated user. (example?)
Questions 2:
have you checked the value of capability moodle/course:update for admin at system_context for that "lost Admin" user?
Regards,
Ana