none
Explicit deny ACE doesn't apply to domain admin group

    Question

  • Hi -

    I'm assuming others have run into this, but I haven't found a definitive answer online.

    I've got an OU with an explicit "Deny" ACE set on the "Delete Child Object" permission for the Everyone group to prevent users from deleting child objects within the OU. I've also got an explicit "Allow" "Full Control" ACE for the domain admin group for the same OU. Domain admins can delete child objects, but other users can't. I understand that an explicit permission will override an inherited one, even an inherited deny, but both of these permissions are explicit on the OU. In that case, doesn't the deny override the allow? I did notice that "Domain Admin" was listed as the owner of the OU....would that have any bearing on this? I know the object owner can go in and override the default permissions, but it doesn't look like it has been done in this case. Also, I checked the effective permissions for both Domain Admin and Everyone...Domain admin had full control, Everyone had no permissions checked.

    How is it that a domain admin can delete child objects despite the explicit "Deny" for the everyone group?

    Thursday, December 15, 2016 6:58 PM

All replies

  • Hi,
    As far as I know, the owner can always change permissions on an object, even when denied all access to the object, which means that, even if the owner does not have full control of an object, the owner can always modify the permissions on the object.
    We could see more details about the permission from:
    How Permissions Work
    https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx
    Active Directory Object Permissions
    https://www.microsoftpressstore.com/articles/article.aspx?p=2231764&seqNum=3
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    In addition, based on the “power rights” of the domain admin group, we always suggest to secure this group by limiting the members in domain admin group. Please see:
    Securing Active Directory Administrative Groups and Accounts
    https://technet.microsoft.com/en-us/library/cc700835.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, December 16, 2016 3:25 AM
    Moderator
  • > How is it that a domain admin can delete child objects despite the explicit "Deny" for the everyone group?
     
    It's not a question of the ACLs set on the OU, but of the ACLs that get set on new childs. Did you verify these?
     
    Friday, December 16, 2016 9:23 AM
  • Thanks, Martin - yes, I've checked the permissions on the group that needs to be removed...I'm not seeing any deny permissions on the group object. The Everyone group's Deny on the Delete Child Object permission was for "This object only", not "This object and all descendant objects". The group that has permissions to delete the group is listed on the ACL for the OU and extend to "This object and all descendant objects", but the specific "Create/Delete Groups" permission is not listed on ACE of the group object itself (yes, permission inheritance is turned on). Other permissions for that group are listed, just not that one. In a way, that kind of makes sense, since you can't create or delete a group that is a child object of another group, so the permission to do so shouldn't be displayed.
    Friday, December 16, 2016 2:29 PM
  • Hi,
    Thank you for the feedback, and I am checking how the issue going, according to your feedback, can I think that your questions is answered?
    If you still have any questions, please feel free to contact us. And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 19, 2016 1:47 AM
    Moderator