Announcement

Collapse
No announcement yet.

Delegation rights for Moving Computers between OU's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegation rights for Moving Computers between OU's

    Hey all, I'm having some issues with my helpdesk guys not being able to move computers between OU's. Here is how I have my permissions configured:

    Computers Container
    Full Control: Computer Objects
    Create/Delete Computer Objects: This object and all child
    Write All Properties: This object and all child

    Sites OU
    Full Control: User Objects
    Full Control: Computer Objects
    Create/Delete User Objects: This object and all child
    Create/Delete Computer Objects: This object and all child
    Write All Properties: This object and all child

    However when attempting to move a computer from the ComputersContainer to the Sites OU (or vice versa) an Access Denied message is displayed. Can anyone let me know what I may be doing wrong? Thanks.

  • #2
    Re: Delegation rights for Moving Computers between OU's

    Computers Container is really part of the domain, so try delegating rights on the domain
    Containers are only a way of reducing the number of users / computers floating around at the top level of the domain
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Delegation rights for Moving Computers between OU's

      Sometimes there is protection set on AD objects. If you view the advanced properties of the AD objects, so you may need to change to View, Advanced Options (something like that) in AD Users and Computers to see. Some have an option set to protect 'accidental deletion'. That needs removing to allow the object to be moved.

      AFAIK, this happens automatically in wk28 domains. Not sure in others.

      Comment


      • #4
        Re: Delegation rights for Moving Computers between OU's

        Virtual most likely has hit the head of the proverbial nail. This is generally turned on so newbie admins don't pork something and need to revive a tombstoned object.
        GoogleFu is strong with this one ^

        Comment


        • #5
          Re: Delegation rights for Moving Computers between OU's

          I don't see that option. I have "Advanced Options" enabled in the AD Users/Computers view. Where would it be?

          Thanks guys.

          Comment


          • #6
            Re: Delegation rights for Moving Computers between OU's

            What are the DC operating systems?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: Delegation rights for Moving Computers between OU's

              I get the impression that you must have w2k3, so may not be present.

              In w2k8 (maybe w2k3 but can't double check at the moment), after activating

              'Advanced Features' or 'Advanced Options' in other editions, go to the properties of one of the AD objects you want to move and then click on the 'object' tab. Remove the tick from 'Protect object from accidental deletion'.

              Comment


              • #8
                Re: Delegation rights for Moving Computers between OU's

                Yep, this is 2k3.

                I have Advanced Features on. When I go to view the properties of a computer object and click the "Object" tab, all I see is the following:

                Canonical name of object
                Object class
                Created
                Modified
                Update Sequence Numbers

                Am I missing something? And thanks agian for the replies.

                Comment


                • #9
                  Re: Delegation rights for Moving Computers between OU's

                  Your not. It must be a w2k8 feature mentioned below.

                  The objects that they are wanting to move, can you do so yourself?

                  Comment


                  • #10
                    Re: Delegation rights for Moving Computers between OU's

                    It's not problem for me, I have Domain Admin rights. The users I'm trying to setup are just regular users with delegated rights.

                    Comment


                    • #11
                      Re: Delegation rights for Moving Computers between OU's

                      You know I figured it out, but I'm almost too embarrased to say the solution...

                      Well here goes, please hold your laughter

                      I created a taskpad for the user, and I'm using a test account mirrored to his to test. Since he'll be using the taskpad, I also tested using it. I created a "Move" task, which kept giving me an Access Denied error. For the hell of it (and why I didn't try sooner) I gave it the ol' right-click > Move. Wa-la, it works! So what did I do wrong??

                      While configuring the taskpad, I chose the command from "Node in the tree" instead of from "Item listed in the results pane". What this meant was that whenever I clicked "Move" it tried to move the whole OU. So after I banged my head a few times, I fixed it and it's working fine.

                      So frustrating.. but in the end glad I got it working. Thanks for the help all.

                      Comment


                      • #12
                        Re: Delegation rights for Moving Computers between OU's

                        Well done, and thanks for posting back
                        Rep++
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Delegation rights for Moving Computers between OU's

                          Glad it worked for you! Often the hardest issues are the easiest solutions. We tend to pass over things that a second set of eyes would do well to find.
                          GoogleFu is strong with this one ^

                          Comment

                          Working...
                          X