Modify OU delegation problem

[aconti]

Hello, I am trying to remove the permission to delete computer accounts in a particular OU for a particular domain admin user. This is just a test setup but even when I selected the Deny next to delete and delete subtree and also the delete Group Objects the same admin can still delete everything from the same OU. On the other hand when I remove the list contents checkbox the same admin cannot see anything listed in the same OU therefore it works as desired.

Any help pls thank you

Howdie!

aconti schrieb:
> Hello, I am trying to remove the permission to delete computer accounts
> in a particular OU for a particular domain admin user. This is just a
> test setup but even when I selected the Deny next to delete and delete
> subtree and also the delete Group Objects the same admin can still
> delete everything from the same OU. On the other hand when I remove the
> list contents checkbox the same admin cannot see anything listed in the
> same OU therefore it works as desired.

Check whether the admin is member of other groups that enable him/her to
delete the folders.

Other than that, restricting domain admins is not going to work. Admins
can put themselves back to the ACL and remove things. If you want to
restrict admin efficiently, remove their admin-ness, make them regular
user and grant them the necessary permission so that they can do their work.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.

Hello aconti,

Preventing an Admin from doing whatever is not possible, an Admin can always
undo the setting. Remove the Admin permissions, that's the only way.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello, I am trying to remove the permission to delete computer
> accounts in a particular OU for a particular domain admin user. This
> is just a test setup but even when I selected the Deny next to delete
> and delete subtree and also the delete Group Objects the same admin
> can still delete everything from the same OU. On the other hand when I
> remove the list contents checkbox the same admin cannot see anything
> listed in the same OU therefore it works as desired.
>
> Any help pls thank you
>
> http://forums.techarena.in
>

"aconti" <aconti.430l7d@DoNotSpam.com> wrote in message
news:aconti.430l7d@DoNotSpam.com...
>
> Hello, I am trying to remove the permission to delete computer accounts
> in a particular OU for a particular domain admin user. This is just a
> test setup but even when I selected the Deny next to delete and delete
> subtree and also the delete Group Objects the same admin can still
> delete everything from the same OU. On the other hand when I remove the
> list contents checkbox the same admin cannot see anything listed in the
> same OU therefore it works as desired.
>
> Any help pls thank you
>
>
> --
> aconti


If the user is truly part of the Domain Administrators group, no, it can't
be done, as Florian and Meinolf already stated. You would have to remove
them from the group, create another group and delegate that group to the OU
with their required permissions and not more.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.