I am running Windows 2012R2 and have an AD service account that creates ServiceConnectionPoint (SCP) objects in a container. By default when it creates these objects it has "Full Control" rights on them and is able to therefore delete them. I want to prevent the service account from being able to delete these objects. The service account does not have domain admin rights or AD elevated privileges.
I delegated the "Deny" right to "Delete" and "Delete subtree" on the container and all descendant objects, to the service account, but that does not work. Any suggestion on how to achieve my objective?