none
So no one can delete Objects

    Question

  • *Screenshot from the Domain properties, in Active Directory Users and Computers.

    Hello. So that no one can delete objects in my lab AD I have set the rule you can see. However, I just created a user, and was able to delete. The user I created it with was Domain Admin,I thought this rule would appy, the "Deny".

    Thanks in advance.


    Luis Olías.





    • Edited by Luis O.J Thursday, March 30, 2017 5:11 PM
    Thursday, March 30, 2017 5:07 PM

Answers

  • Members of protected groups, like "Domain Admins" do not inherit permissions from parent OU's (or the domain). Does this account for what you experience?

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, March 30, 2017 5:12 PM
  • Richard

    I guess i misunderstood this line from him "The user I created it with was Domain Admin" , as  i thought the user was created using domain admin rights.

    You are right, if the user is a member of protected groups with admincount=1, then the adminsdholder permissions shall be enforced and the changed done will be wiped away.

    • Marked as answer by Luis O.J Thursday, March 30, 2017 6:31 PM
    Thursday, March 30, 2017 5:14 PM

All replies

  • Members of protected groups, like "Domain Admins" do not inherit permissions from parent OU's (or the domain). Does this account for what you experience?

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, March 30, 2017 5:12 PM
  • No, I didn't. I will now, with my next user creation. Thanks.

    Luis Olías.

    Thursday, March 30, 2017 5:12 PM
  • Richard

    I guess i misunderstood this line from him "The user I created it with was Domain Admin" , as  i thought the user was created using domain admin rights.

    You are right, if the user is a member of protected groups with admincount=1, then the adminsdholder permissions shall be enforced and the changed done will be wiped away.

    • Marked as answer by Luis O.J Thursday, March 30, 2017 6:31 PM
    Thursday, March 30, 2017 5:14 PM
  • take a note of the permissions for the object before you try to delete it. Also adminsdholder permissions for protected groups apply every 60 minutes by default , as well.... so there maybe a timing issue as well
    Thursday, March 30, 2017 5:17 PM
  • Or maybe I misunderstood. When you apply permissions to an OU (or the domain) and all child objects, the permissions (like the deny permission you imposed) is inherited by all child objects (users), except those that are members of any protected groups (like "Domain Admins"). In general, you cannot deny the ability to delete objects to members of protected groups. It seemed to me that this accounted for what you experienced. Other protected groups are "Schema Admins" and all of the "Operator" groups. The members of these groups have permission inheritance disabled, so they do not inherit the permissions you assign to a parent OU or the domain.

    Edit: I should add, that even after a user is removed from a protected group, inheritance of permissions (and adminCount having a value of 1) is not reset. Someone must manually enable inheritance (and perhaps clear the adminCount attribute).


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, March 30, 2017 5:53 PM
  • Sorry Richard, I didn't understand your question.

    Luis Olías.

    Thursday, March 30, 2017 6:32 PM
  • My question would be, was the user being deleted a member of Domain Admins (a protected group)?

    Or, was only the person deleting the normal user a member of Domain Admins?


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, March 30, 2017 6:47 PM
  • Thanks to you all !

    Luis Olías.

    Thursday, March 30, 2017 7:21 PM