Delgation Question

[Josh Messerschmitt]

I'm trying to create a setup in AD where each OU from the root represents a
location and under each OU (location) there will be 3 other specific OU's.
I've made groups to represent each site and given them Full Control to their
respective site. I don't want the users in that group to delete any of the
OU's I've created by default, so I set explicit deny 'Delete' rights to each
OU. However, this only works for the OU from the root, not the 3 under that
OU. This doesn't make sense to me - shouldn't deny take precedence? Am I
missing something?

Any ideas?

 

[Jorge_de_Almeida_Pinto]

I'm trying to create a setup in AD where each OU from the root
represents a
location and under each OU (location) there will be 3 other
specific OU's.
I've made groups to represent each site and given them Full
Control to their
respective site. I don't want the users in that group to
delete any of the
OU's I've created by default, so I set explicit deny 'Delete'
rights to each
OU. However, this only works for the OU from the root, not
the 3 under that
OU. This doesn't make sense to me - shouldn't deny take
precedence? Am I
missing something?

Any ideas?

the deny is not needed if you have delegated the tasks correctly for
the objects beneath the OU. As long as they are not the owner of the
OU or are not member of groups that are specified on the OU with
delete OU permissions you’re OK. When delegating permissions also
think about the scope and the type of objects. If you delegate full
controll for users, groups or computers or whatever they cannot delete
the OU

 

[Josh Messerschmitt]

I took a different approach with this and everything is working as planned
now. I didn't give any rights to the Building's OU (except to link gpo's),
and then gave Full Control to 'child objects' in each of the 3 OU's under
the building OU. However, I still don't understand why the user/group was
able to delete the object in my ealier post - It makes no sense to me.