Explicit deny ACEs are always applied, even if conflicting allow ACEs exist. If an explicit deny is found, access is denied. The following illustration shows the important parts of an access token and a DACL when a request is evaluated. The subsystem does this by first examining ACEs that have been explicitly assigned to the object and then examining ones that have been inherited by the object. The security subsystem then steps through the DACL until it finds any ACEs that allow or deny access to the user or to one of the user’s groups. The security subsystem checks the object’s DACL, looking for ACEs that apply to the user and group SIDs referenced in the user’s access token. When access is requested to an Active Directory object, the Local Security Authority (LSA) compares the access token of the account that is requesting access to the object to the DACL. If we read the Microsoft documentation on how the system evaluates if a Security Principal is allowed and denied access: Discretionary Access Control Lists (DACLs) and Access Control Entries (ACEs) ACLs is a powerful and complex thing in Active Directory. But when it comes to ACLs in Active Directory it’s not always that easy.
The most common answer is whoever has the Delete Right on the user object. What is required to delete admin accounts that is member of a protected group like Domain Admins or Enterprise Admins?