To add to what Joe just said, you might run DSACLS <DN of OU> /S /T
This command will reset the permissions on the OU *and* all objects beneath it to the default set by the schema. This might help prevent any "junk" other than the perms you're trying to set from causing problems... This is what it sounds like -- a RESET TO DEFAULT -- so don't use it if you have other delegation attached to the OU that you want to preserve. However, the default DOES include "inherit", so any perms attached explicitly to OUs (or the domain) "above" this OU will be inherited. Dan List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
