Implementing RBAC for AD - What permissions are required to delete an OU

%3CLINGO-SUB%20id%3D%22lingo-sub-3075549%22%20slang%3D%22en-US%22%3EImplementing%20RBAC%20for%20AD%20-%20What%20permissions%20are%20required%20to%20delete%20an%20OU%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3075549%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20setting%20up%20role%20based%20permissions%20in%20AD.%20Everything%20is%20working%20with%20the%20exception%20of%20deleting%20on%20OU.%20I%20used%20the%20delegation%20wizard%20to%20grant%20permission%20to%20a%20security%20group%20for%20all%20account%20objects%20and%20organizational%20units%20(and%20child%20objects).%20I%20can%20create%20an%20OU%2C%20uncheck%20the%20%22protect%20from%20accidental%20deletion%22%2C%20but%20I%20cannot%20delete%20on%20you%20(requires%20DA).%20I%20am%20assuming%20this%20is%20an%20intentionally%20security%20measure%20and%20not%20simply%20a%20missing%20permission%20that%20I%20can%20delegate.%20Is%20that%20correct%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3075549%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I am setting up role based permissions in AD. Everything is working with the exception of deleting on OU. I used the delegation wizard to grant permission to a security group for all account objects and organizational units (and child objects). I can create an OU, uncheck the "protect from accidental deletion", but I cannot delete on you (requires DA). I am assuming this is an intentionally security measure and not simply a missing permission that I can delegate. Is that correct?

0 Replies