I'm tracking all the ways to delegate rights in AD. I want to create a custom Delegation wizard by using the delegwiz.inf. I want to provide the ability to junior admins to create an OU but with no sub OUs under that Root OU. I can do it by modifying the security tab. I want to be able to deny rights using the delegwiz.inf file. I need to deny rights to "Owner Rights" and to the SA group. For the life of me I can't find this anywhere on the web. I basically need to do the following:
Owner Rights
Deny - Create OU - All Descendant OU Objects
Admins Rights:
Deny - Create OU - All Descendant OU Objects
Deny - Modify Permissions - All Descendant OU Objects
There is some more but giving rights seems quite easy, denying them seems much more magical.
Thanks for any help I can get on this