Very much a follow on from this question I asked earlier here. Trying to go through metadata cleanup but every time I click delete on the offending DC I get an access denied (after prompts about it being a GC). Is there any other way I can remove it? I have unchecked the "protect from accidental deletion" option on the OU Domain Controllers, added myself as an Enterprise Admin (was already a Domain Admin) and generally thrown my toys out of the cot. Have I missed a glaringly obvious step somewhere? I thought the first process of metadata cleanup was removing the account and then a case of tidying up DNS and NTDS bits that pointed to the DC.
EDIT: So looking at NTDS Quotas OU thorugh ADSIEdit I notice that someone has added Everyone - Deny Special Permissions - Delete and Delete Subtree. Is this a normal setting to have configured?
EDIT2: Oh wait it gets better. Everyone has been assigned Deny permissions (to all sorts of attributes) to delete from teh Domain Controllers OU. I am guessing this is not a normal security practice for AD?