none
Protect object from Accidental Deletion causing issue with delegation rights

    Question

  • Hi, I've been trying to setup a delegation so that a group of users are only allowed to create/delete OU and Create/delete computer object within an OU.

    I did manage to get this working however, the users are not able to delete an OU which which wasn't created by themselves and have the "protect object from accidental deletion" enabled.  When the tried to delete the OU that was created by another user, the "protect object from accidental deletion" is greyed out.  If I grant them modify permissions then they can disable accidental deletion and delete the OU but it then also allows them to grant themselves full rights to the OU making the whole delegation worthless.  anyone have an insight on how to solve this issue?


    Kevin.

    Tuesday, June 12, 2018 8:31 PM

All replies

  • Hi,

    According to my knowledge, for your needs, we should uncheck the option by domain admin instead of delegate modify permissions for users.

    Best Regards,

    William


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 13, 2018 6:47 AM
  • "Protect OU from accidental deletion" flag effectively adds an ACL: "Deny Delete for Everyone" to that OU, which is inherited by all children.

    Either remove the "protection" flag from the parent OU or block inheritance on the object you want to delete (if your users have the rights to modify its permissions).

    Wednesday, June 13, 2018 10:27 PM
  • I've tried removing the protectiong flag from the parent OU and block inheritance and it doesn't work.  As soon as someone creates an ou, by default it sets the protection flag on the OU.

    Kevin.

    Thursday, June 14, 2018 7:30 PM
  • Everytime a user creates a child ou, they can right click on it and delegate themselves full rights to the OU and create other objects like Users and groups.  What I want is to lock them down to only manage servers within the Server OU but also allow them to create OUs to organise the servers.

    Kevin.

    Thursday, June 14, 2018 7:34 PM