Hello, I am trying to implement something like the OU's "Protect from accidental deletion" on the user accounts. The problem here is that I am still member of Domain Admins, I have the right to "Take ownership". So although I remove all permissions to a user account, remove inheritance and set the permissions so that they are ONLY and EXACTLY: Everyone = Deny = DELETE, DELETE SUBTREE Everyone = Allow = READ Owner = some single user account, not me, not Domain Admins, not Administrators The DSA console just takes ownership of the object, changes the permissions and deletes the object (probably). The only auditing info I get from this operation is just: DS Access: Failure - Delete Account Management: Success - user deleted So I would like to know: a) how to prevent DSA from deleting user accounts when I am Domain Admins member. b) what the ____ happens that I do not see any auditing info on the object having permissions/owner changed after the first DS Access delete fails. thank you very much. ondrej.

everything solved. sory for troubling. the OU had the DELETE User Objects permission which was not audited and was actually used to delete the object instead of the permissions on the user object itself. o.