If Domain Admins is the owner of Test1, then they can change permissions on the OU.
If Domain Admins is not the owner of Test1, you'll have to grab that first. Right-click the OU, go to Properties, Security, Advanced, click on the Owner tab, and grab ownership. Hunter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Monday, February 07, 2005 10:57 AM To: [email protected] Subject: [ActiveDir] Fun with delegated permissions. (Gotta get out of the habit of ending my subject lines with ellipses so that Deji's webmail will be able to open them.) Hello all, Playing with a situation in a break-and-fix test lab and am looking for the...fix: 1. I'm a Domain admin for mycompany.com. I create an OU called Test1, that contains a security group called Test1Admins. 2. I then run Delegation of Authority and grant Test1Admins Full Control over the entire OU. 3. Someone in Test1Admins removes Domain Admins/Enterprise Admins permissions to the entire OU. 4. Every single member of Test1Admins gets killed in a strange bass-fishing accident, and now the Domain Admins need to re-exert control over this "orphaned" OU. I could swear I've read how to fix this somewhere, but I'm not coming up with it. Thanks! Laura List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
