I'm using a piece of software that checks the entire AD for expiring user accounts. The software runs as a service, and with a user account set up just for this purpose. I am trying to limit which accounts the software checks by denying read access on certain OUs.
I have tried to deny the SWService user account read access to the Active Directory in every area I can think of, but certain read permissions persist.
The software is running on a domain controller. The user account is a member of Domain Users and Administrators (builtin). If I remove the user from administrators, the service will not start. I'm not sure if membership in administrators is causing this or not.
The server that the software is running on is Windows Server 2008. The domain is at Windows 2003 functional level.