I found the problem in this isntance...anotehr admin set the role authenticated suer to be able to view courses. This let them inside.
Now we have another problem though...there is one course that recycles the 'do you want to enrol in this coruse' message. This course is doing it for two people. One of these people was an admin, one an employee. I remade the admin profile, but the employee profile uses ldap so I dont want to do it for her.
im not sure how to tackle this one.Ill try replicating the coruse, but we have hundreds of people enrolled already, so this is not something I want to do.