I have a windows server 2008r2 domain called sl13.mycompanytest.biz. I am running powershell on the server as a user that is a member of the following groups : Domain Admins, Enterprise Admins, Domain Users, Schema Admins, Organization Management.
I have created an OU called Test (OU=Test,DC=sl13,DC=mycompanytest,DC=biz). This object is *not* marked with the protection from accidental deletion checkbox. I can create and delete this OU just fine with the ADUC control panel applet.
When I try to remove the OU using Powershell I get : Access is denied. When I look at the security tab for the entire domain (or the OU) I can see that enterprise admins has "full control" and all boxes checked, including all deletion options. However, when I click advanced and click on effective permission for the domain object (or the OU object), and enter the name of my administrative user (who is a member of enterprise admins), it shows he does not have full control and *none* of the deletion permissions are checked. If I enter the 'Administrator' username in the effective permissions box, I see the same thing : not full control, no deletion options checked. Both of these users can clearly delete anything they want through ADUC due to being members of enterprise admins, but for some reason, not through powershell.
Here is the powershell output:
PS C:\Users\nathan> Remove-ADOrganizationalUnit $ouToRemove -Recursive -Confirm:$false
Remove-ADOrganizationalUnit : Access is denied
At line:1 char:28
+ Remove-ADOrganizationalUnit <<<< $ouToRemove -Recursive -Confirm:$false
+ CategoryInfo : PermissionDenied: (OU=Test,DC=sl13,DC=mycompanytest,DC=
biz:ADOrganizationalUnit) [Remove-ADOrganizationalUnit], UnauthorizedAcces
sException
+ FullyQualifiedErrorId : Access is denied,Microsoft.ActiveDirectory.Manag
ement.Commands.RemoveADOrganizationalUnit
So several questions:
1)Why would my effective permission differ in powershell and ADUC?
2)How in the heck would anything override the permisson of the "enterprise admins" group to deny it delete permission?
3)How Do I fix this? I see that there is an "everyone" user who is specifically denied all delete permissions, but that should not overwrite my enterprise admin privileges should it? And if so, why does it only overwrite them through powershell but not through ADUC?