Delegate Full Access but prevent assigning of additional Access Templates

Question

Hi, 
 In my company, I have delegated Full Access (all objects) to several Organizational Units in AD - I recently noticed this also allows admins to assign additional Access Templates to allow other users to have access to that same area. Is there any way I can prevent this from happening? I don't mind them seeing the existing config or the templates themselves, but they should not be able to assign or remove any Access Templates. I already tried blocking class "Access Templates" but that didn't seem to help (guess that only locks out modifying the templates themselves). Couldn't find the option for denying (un)assigning templates or policies etc. 
 Thanks!

JohnnyQuest · Accepted Answer

The subtle "kicker" here is the notion of "Full Access". Best practice when delegating access through AR is to NEVER grant anyone the ability to modify security on objects - i.e. delegation. When you look at the delegation Wizard, in AR, there is a "Full Control" option - granting this allows people to modify security on objects. I believe that if you grant only read/write access to all properties, that this ability to modify delegations goes away. If you wanted to go a step further and really be transparent about restricting delegation, you could set a Deny on "Write Control" under Object Access in the delegation Wizard.

Endpoint Privilege Management

Delegate Full Access but prevent assigning of additional Access Templates