Return
-
Title
Prevent User objects from being deleted. -
Description
When creating an Access Template (AT) denying user deletion, you may find it not working when applying the denial to user class only. -
Cause
This is due to the Microsoft ‘s permissions structure.
-
Resolution
SOLUTION
Since the deletion can be actioned in three different ways, the denial needs to be applied as followed:
1) Deny Delete (Object Class: User);
2) Deny Delete User Objects (Object Class: All Classes);
3) Deny Delete Tree (Object Class: User);
-
Additional Information
Please note that in AD there is no permission named "Move", so applying the above will also restrict the moving objects between OUs. To bypass this, please apply the ARS artificial permission “Move Out” to the same AT.