Consider an OU named Laptops and a single computer object inside namedMachine102. There are 2 somehow similar conceptual waysthat appear to assign permissions to delete Machine102 to a security principal (Ted) - (1) assign Delete All Child Computer Objects against the Laptops OU and scope it to "this object only"; (2) assign Delete against the Machine102 computer account and scope it to "this object only" for Ted.
My question is - when someone right clicks the computer object for Machine102 and selects Delete - what is the DC handling this deletion operation checking ? Is it both (1) and (2), or only (2) ? Alternatively, if Ted were to try and delete the Laptops OU altogether, would the DC check (1) and (2) ? Do you have a link to a Technet article describing this in detail or an MS blogpost ?
Just to keep things simple, we're not taking into account deny permissions, or "Protect object from accidental deletion" being assigned.