Announcement

Collapse
No announcement yet.

Permissions required tomove computer accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions required tomove computer accounts

    I am wanting to delegate administrative permissions to allow a security group to be able to move computer accounts between OUs. All new computer accounts added to the domain are currently automatically placed into an OU (not the default computer container), but we have a number of other OUs where the computer accounts need to be moved to. I have found an article in relation to W2k, our domain is W2003, KB818091. This is more around setting permissions on the OU where the account will be moved from to the OU it will be moved to. As we have a number of OUs where the account could be moved to, I would prefer to delegate the admin necessary to complete the task , but so far have not been successful. I would appreciate any help that could be offered.

  • #2
    Re: Permissions required tomove computer accounts

    Article is all right.

    1. Delegate the rights to delete and create computer object at Domain level instead of computer container.

    2. Select "This object and all child objects" instead of "This object only"

    3. Allow both create and delete Computer Objects.

    After this user will be able to move computers from any to any container.

    Regards,
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: Permissions required tomove computer accounts

      Thanks Kapil

      I have done as you suggested but also needed to add the permission to write all properties and this has worked - easy when you know how!!

      Thank you very much for your quick response and help.

      Comment


      • #4
        Re: Permissions required tomove computer accounts

        It is generally a bad practice to delegate this kind of permission at domain level as the members of the delegated security group will be able to delete/move ANY computer object(including DCs and other infrastructure servers).

        It is much better to create an OU, delegate "create/delete computer objects" and "write properties" on the OU and place all the OUs you want to delegate under the OU you have created.
        i.e.:

        OU=DelegatedOUs <-- this is where you configure delegation
        |
        |____SubOU1
        |
        |____SubOU2
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Permissions required tomove computer accounts

          Hmmm.... Right.

          Although will be bit longer but surly that's the best practice.

          Thanks for correction......

          Regards,
          Kapil Sharma
          ~~~~~~~~~~~~~
          Life is too short, Enjoy It.

          Comment

          Working...
          X