Quantcast
Channel: Directory Services forum
Viewing all articles
Browse latest Browse all 31638

Delete All Child Computer Object Vs. Delete

$
0
0

Consider an OU named Laptops and a single computer object inside namedMachine102. There are 2 somehow similar conceptual waysthat appear to assign permissions to delete Machine102 to a security principal (Ted) - (1) assign Delete All Child Computer Objects against the Laptops OU and scope it to "this object only"; (2) assign Delete against the Machine102 computer account and scope it to "this object only" for Ted.

My question is - when someone right clicks the computer object for Machine102 and selects Delete - what is the DC handling this deletion operation checking ? Is it both (1) and (2), or only (2) ? Alternatively, if Ted were to try and delete the Laptops OU altogether, would the DC check (1) and (2) ? Do you have a link to a Technet article describing this in detail or an MS blogpost ?

Just to keep things simple, we're not taking into account deny permissions, or "Protect object from accidental deletion" being assigned. 


Viewing all articles
Browse latest Browse all 31638

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>