Suppose that I, as a domain administrator, create an organizational unit (OU) called R&D and delegate full control of R&D to a user. If that user edits the OU's ACL to remove all entries that grant me access to the OU, can I regain control of the container?
In short, you can regain control. A user can never permanently lock an Administrator out of any object. Because you created the R&D OU, you're its owner. In Windows 2000, the object's owner has the final say about who can access it. As long as the user doesn't also take ownership of the OU (I address this situation in the next paragraph), you can still edit the OU's ACL and regain access. However, you must be aware of an idiosyncrasy in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. After the user removes your access to the R&D OU, when you view R&D, the Active Directory Users and Computers snap-in will display R&D as an object whose type is Unknown, as Figure 1, page 8, shows. The first time you try to view R&D's ACL, the R&D OU's Properties dialog box, which Figure 2, page 8, shows, will indicate that you can't access security information. I've discovered that if you select a different object in the Active Directory Users and Computers snap-in, view its ACL, then select the R&D OU's ACL again, you can then view and edit R&D's ACL.
If the user also takes ownership of the object, you'll need to exercise the Take Ownership of Files and Other Objects right, which administrators have by default and can always grant to themselves. To regain control of the OU, open the Active Directory Users and Computers snap-in, right-click the OU, select Properties, then click the Security tab. At this point, you'll encounter another bug in the Active Directory Users and Computers snap-in. Win2K displays a message stating that you can't view the permissions but that you can change them. Indeed, you can't view the permissions--but you can't change them either because you now neither own nor have full control over the object. Nevertheless, click OK; you'll see a blank permissions dialog box such as the one that Figure 3 shows. Click Advanced, then select Owner. Select your username in the Change owner to window that Figure 4 shows, then click OK twice to close the dialog boxes. Open R&D's Properties dialog box again, then click the Security tab. Now, you can view and edit the ACL as I described.