I'm currently running a very standard 2012 R2 Domain with a number of OUs in the structure for different permission levels. We have some Level 1 Help desk staff in the built-in account operators group so they can setup users and modify existing accounts.
There is a sub OU that I would like them to have only read only access on but it appears even when this is changed changed on the OU holding these accounts, any new accounts created are still given full allow control to the accounts operators group by default.
Does anyone know the reason for this and is it possible to change that from happening to new accounts?
Example Images below:
Would like to deny all editing of users under the Service OU by account operators
Current permissions for the account operators on the Service OU level
Current permissions for the account operators on a user under this OU (default permissions for all new accounts) (Inheritance is enabled at all levels)