Hi guys! I'm working on a problem where we have delegation of control set up to enable a group (let's call it the DeleteComputerObjects group) of users to delete computer objects in a couple of OU's.
This means that when I open the properties of the OU, go to security, advanced, there's an entry for the DeleteComputerObjects group. When I view the permissions of this entry, it has the right to delete computer objects. So far, so good.
However, users in the DeleteComputerObjects group are reporting they're unable to delete computer objects. I am (as a domain admin) still able to delete computer objects. When I view the ACL of the OU, there's a Deny Everyone entry, and when I view the permission it denies delete computer objects. This would explain why the DeleteComputerObjects users cannot delete computer objects.
The strange thing is, how is it possible that domain admins are still able to delete objects while there's a deny "delete computer objects" ACE for everyone? Are domain admins able to supersede a deny everyone entry?
