How do I let admins only delete the OUs they created?
Posted on 2007-04-03
I'm trying to get a controlled AD designed & implemented, but I'm running into a few problems with delete rights in a Windows 2003 AD.
My situation is this: Each physical branch office is going to relate to an OU in the AD. There will be a parent OU, lets call it MASTER, with an OU for each branch office, so let's say OU1, OU2, OU3, and OU4. That's the default set of OUs each branch will receive. I want to delegate so that the each branch admin can, if they so desire, either create more new OUs directly in the branch OU, or create more new OUs in one of either OU1, OU2, OU3, or OU4. I want them to be able to delete whatever they have created themselves, but I **DONT** want them to create any of the defaut set (OU1/2/3/4). I've tried assigning various permutations, such as allowing full control on the branch OU, but explicit deny permissions on the standard OU set, but nothing seems to work because of the way Windows 2003 processes the inherited vs explicit permissions set.
Its proving very annoying!
Thanks for your help