AD permission to delete User objects set only on last child OU

FXE 501 Reputation points
2023-03-14T15:55:42.08+00:00

Hi all,

For some days it seems, I'm facing a strange behaviour about delegating purposes on User objects management in our AD 2019.

We have a multiple levels OU structure. Permissions to create and delete User objects for a specific helpdesk group is set on a top OU to be applied to "This Object only and all descendant objects".

The permission "Create User object" is correctly set on all child OUs, but "Delete User object" is set on the last child OU only !

When I check inheritance on intermediate child OUs or on last child OUs, all is right. But when I check for "Effective access" on intermediate child OUs for a user member of the helpdesk group, the permission "Delete User object" is set to false "limited access by objects permissions", whereas this permission is set correctly on all last child OUs.

Is there a reason for this behaviour ?

Thank you.

Regards,

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,030 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,801 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. FXE 501 Reputation points
    2023-03-15T17:56:17.9466667+00:00

    Hello and thank you for your answer, but I'm aware of what are permissions in AD...

    Maybe if I explain a more my situation it will help you to understand :

    Permission "Delete User objects" is set on level 1 OU :

    ---Level 1 OU : permission is not applied

    ------Level 2 OU : permission is not applied

    --------Last level OU : permission is applied

    Regards,

    0 comments No comments