Unable to prevent OU deletion by Domain Admins?

J

Josh

I am trying (unsuccessfully) to prevent accidental deletion of several
OUs by our domain admins. For testing purposes, I have done this:

1) Create new OU, removed inheritance of permissions.
2) Removed all groups from the permissions
3) Added Domain Admins with Full Control
4) Explicity set Deny rights for Domain Admins for Delete, Delete
Subtree, and Delete Organizational Object.

Create new user, add user to Domain Admins. Log in with user, and the
OU can be deleted without warning.

The only way I have gotten this to work is by creating a user in the
OU that I want to protect, and setting Deny All rights for the Domain
Admins group on that user. That prevents Domain Admins from deleting
the parent OU, but it is a pretty bad solution...and it doesn't
explain why the Domain Admins can delete the OU when all relevant
deletion ACLs are set to Deny.

Any thoughts?
 
G

Guest

This is probably a case of you have the permission to delete sub-containers
at the parent container level. Just like with NTFS you can delete a folder
and sub-folders and files even if you don't have permissions to the files
themselves.

Either modify the permissions at the domain level (not the recommended
solution) or take Mark's advice and tighten down the members of the domain
admins group. If these guys can't be trusted, they shouldn't have that much
power...


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
T

tony72

Joined
Nov 2, 2005
Messages
1
Reaction score
0
To set an OU to prevent accidental deletion. As stated previously, Non inherited permissions trump inherited permissions in AD. Domain Admins permissions are always set as non inherited in AD at object creation. Do not modify the existing Domain Admin permissions, simply add the deny.

Apply following three deny permissions to every OU in advanced permission settings on the Object tab:
Permission Object------------------Setting--Apply To**
Delete Organizational Unit Objects--Deny----This Object Only
Delete----------------------------Deny-----This Object Only
Delete Subtree--------------------Deny-----This Object Only

** In your step 4, this will not work if you apply to "This Object and All Child Objects", you must select "This Object Only".

You can appy to Domain Admins or Everyone to ensure it is protected. Note this is only to prevent accidental. Any user with full control or Domain Admin permissions can remove the deny's then delete the OU.

Hope that helps,
Tony
 
Last edited:

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unable to prevent OU deletion by Domain Admins? 8
Remove Domain Admins ability from "Delegation Of Control" 5
I am a member of domain admins, but I have been denied access to a certain OU. 1
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
OU level 3
HELP - specifying ability to add a workstation to a domain. 1
Permissions not applied to every user 4
GPO and Add Computer to Domain 1

Top