Hi all,
We had an old OU in our domain that was inappropriately named (did not make sense). So over time I moved the users of this OU to a new OU while testing to make sure everything still worked. But now I cannot delete this old OU. I have checked that the property "protect from accidental deletion" is unchecked. I also checked that the user I am logged in as (administrator) has rights at the domain level to delete the OU (the OU is one level down from the domain object).
I have checked "effective access" for user administrator. And also checked it for "Administrators" (group) (which Administrator is part of) and also for Domain Admins (which Administrator is part of). And all seem to have full access using the effective access tool.
Couple questions:
1) in AD, if the user is a member of a number of groups, is not the effective permission given the "most access"? (except if Deny is explicitly used).
2) is there a lag between the time I take child objects out of an OU and when I can delete an OU because of some wait period for replication to take place across the domain controllers i.e. maybe I just have to wait longer?
Note: I can create and delete OU's off of the root of the domain so it seems I have enough rights to do that.
Thanks,
Albert Gostick