A. You can revoke permissions on all containers under a passed root--for example, a domain or an organization unit (OU)--by using the Dsrevoke tool, which I describe in FAQ "How can I view the state of Active Directory (AD) permissions delegations?" To revoke permissions, you use the command syntax that I provided in that FAQ but replace the /report switch with the /remove switch, like this:

dsrevoke /remove /root:ou=testing,dc=demo,dc=test demo\helpdesk

After you run Dsrevoke, the access control entries (ACEs) that match your criteria are displayed on screen, like this:

ACE #1
Object: OU=testing,DC=demo,DC=test
Security Principal: DEMO\HelpDesk

Permissions:
READ PROPERTY
WRITE PROPERTY
ACE Type: ALLOW

ACE does not apply to this object
ACE inherited by all child objects of class User

ACE #2
Object: OU=testing,DC=demo,DC=test
Security Principal: DEMO\HelpDesk

Permissions:
EXTENDED ACCESS
ACE Type: ALLOW

ACE does not apply to this object
ACE inherited by all child objects of class User

# of ACEs for demo\helpdesk = 2

Do you want to remove the above listed ACEs (y/n): y
All ACEs successfully removed

To remove the ACEs, you must enter "y" (yes) at the prompt. You can then confirm the removal by running Dsrevoke to output a report:

dsrevoke /report /root:ou=testing,dc=demo,dc=test demo\helpdesk

The command outputs this message:

No ACEs for demo\helpdesk