As a Domain admin, i would like to have a permission model on an OU "A". Requirement is like this: users are member of Group "B" should not be able to delete any object under OU "A" however should be able to move the object in sub OU's under OU "A".
I have given the permission to the Group "B" as Deny Permission for (Delete and Delete Subtree). Now users of Group "B" are not able to delete any object under OU "A" but also they are not able to move the object. Error says Access is Denied.
Is this achievable? Any assistance is most appreciable.