0

I am trying to remove one of the security group which has inherit permission on one of my OU in Active Directory. When i click on remove i get the message " You cant remove xxx group (Domian\xxxgroup) because this object if inheriting permissions from its parent. To remove "xxx group" you must prevent this object from inheriting permissions. Turn off the option for inheriting permissions, and then try to remove the xxxgroup again.

I am using a Windows 2012 AD, when i click on disable inheritance by selecting this security group called "xxxgroup" it removes the inherit poermission onot only for that but all the other ACE that are defined fro the group, which does not solve the problem.

Any help is much appreciated.i am stuck in this for hours now finding a solution

Shaikh Farookh
  • 1
  • 1
    What do you mean when you disable inheritance it doesn’t solve the problem? Because it disables inheritance on all other ACEs? Or because you still can’t remove the problematic ACE? If the former, that is how it works and it is the only choice you have. If you want to remove an inherited permission you have to disable inheritance for the entire OU then remove the ACE you don’t want. If that’s not working you’re doing something wrong because that is how it works. – Appleoddity Jun 13 '18 at 23:56
  • You remove/disable permissions inheritance on the object that is inheriting the permissions, not on one of the inherited permissions (the ACE on the ACL). – joeqwerty Jun 14 '18 at 00:38
  • Agreed @Appleoddity. But disabling the inheritance at parent level messes up my other groups inheritance as well. so we have decided to leave it there. We will be creating new ACL just to deny the permissions so its taken care. Thanks for your response. – Shaikh Farookh Jun 14 '18 at 22:29

1 Answers1

0

What we have decided is let the allow ACE be there since they are inherited and cant be removed or modified unless done from Parent.

Will create 3 new ACE for below:

  1. Create/Delete group objects - This object and all descendant objects - Deny
  2. Create/Delete user objects - This object and all descendant objects - Deny
  3. Delete - This object and all descendant objects - Deny

Thanks everyone for your responses.

Shaikh Farookh
  • 1
  • Rather you disable inheritance or use Deny, you are disregarding best practices. If your directory structure is setup in such a way that you have to disable inheritance or put in a deny, then you have it designed wrong. Just pointing that out. Because long term this makes for a mess. – Appleoddity Jun 15 '18 at 00:08