For some days it seems, I'm facing a strange behaviour about delegating purposes on User objects management in our AD 2019.
We have a multiple levels OU structure. Permissions to create and delete User objects for a specific helpdesk group is set on a top OU to be applied to "This Object only and all descendant objects".
The permission "Create User object" is correctly set on all child OUs, but "Delete User object" is set on the last child OU only !
When I check inheritance on intermediate child OUs or on last child OUs, all is right. But when I check for "Effective access" on intermediate child OUs for a user member of the helpdesk group, the permission "Delete User object" is set to false "limited access by objects permissions", whereas this permission is set correctly on all last child OUs.
Is there a reason for this behaviour ?