Hi,
I'm trying to give permission to "Helpdesk-Group" to manage Computer objects underWorkstationsOU and subsequent OU's below that. I have delegated the rights withDelegate Control wizard in ADUC (according to http://social.technet.microsoft.com/forums/en-us/winserversecurity/thread/F1D6D833-F3D1-4EF9-A717-1F685E99B1A2).
This works OK for single OU E.g Workstations. I can move a Computer to and from the OU.
But if I create another OU under the Workstations OU, I lose the right. However I can move Computer object to and from the sub OU Laptops. It seems that, for some reason, AD changes the permissions to the parent OU (Workstations) when adding a sub OU: Everyone: Delete All Child Objects: Deny.
Do I miss something here? How can I Delegate permissions to the Workstation OU and whole OU subtree?
OU Structure:
|-Workstation
|-Laptops
|-Country
Regards
lakend