Very much a follow on from this question I asked earlier here. Trying to go through metadata cleanup but every time I click delete on the offending DC I get an access denied (after prompts about it being a GC). Is there any other way I can remove it? I have unchecked the "protect from accidental deletion" option on the OU Domain Controllers, added myself as an Enterprise Admin (was already a Domain Admin) and generally thrown my toys out of the cot. Have I missed a glaringly obvious step somewhere? I thought the first process of metadata cleanup was removing the account and then a case of tidying up DNS and NTDS bits that pointed to the DC.
EDIT: So looking at NTDS Quotas OU thorugh ADSIEdit I notice that someone has added Everyone - Deny Special Permissions - Delete and Delete Subtree. Is this a normal setting to have configured?
EDIT2: Oh wait it gets better. Everyone has been assigned Deny permissions (to all sorts of attributes) to delete from teh Domain Controllers OU. I am guessing this is not a normal security practice for AD?
Check the ACL on the domain controller object and make sure that Domain Administrators and Enterprise Administrators have the appropriate
Full ControlACE. Also check to make sure that there isn't any weird deny ACEs.