Different ACLs on two OU's with same "protect object from deletion" setting
Explanation
When you enable the Protect object from accidental deletion flag on an organizational unit, it affects the ACL of that object and its parent.
- The protected OU gets {Deny, Everyone, Delete+DeleteSubtree}
- The parent OU gets {Deny, Everyone, DeleteChildObjects}
The access control entry on the parent is necessary for enforcing protection, but does have unexpected results like that observed here. And no matter how many times you toggle the protect flag, the Deny access control entry on the parent will never be automatically removed.
Thus in the Active Directory that I was working with, any OU which had ever contained a protected OU (basically any non-leaf OU) had the Deny DeleteChild ACE on it, thus "trapping" computer objects in that OU from the perspective of users with delegated permissions.
Via: Protect object from accidental deletion on Technet Forums
Solution
This can easily be resolved by ensuring that the base OU used to delegate permissions has these two access control entries in the ACL.
- {Allow, GROUP, Create/delete computer objects, this object and all descendents}*
- {Allow, GROUP, Delete+DeleteSubtree, Descendent computer objects}
I had already configured the first access control entry on the relevant OU in my directory, but now I know that was insufficient. The first rule gets cancelled out by the automatic deny ACE set up whenever a protected OU is created. The second rule allows an object to be deleted directly, thus bypassing the deny entry set up when a child OU is protected.
*(It's possible that the first rule is now redundant. Can anyone confirm?)