I am trying to move one computer account into another OU to do some GPO testing. When I try to move the account I always get permission denied. So i open up the security tab and the group I am in has full control in both of the OU's. Is there a proper way to allow a user to be able to do that? Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Active directory problems
- Thread starter kpeterson
- Start date
Electro121
Technical User
Hi There,
One thing you may want to check is that although the group you are in has full control do you belong to another group that may be denied? Just a thought....
Darryl
One thing you may want to check is that although the group you are in has full control do you belong to another group that may be denied? Just a thought....
Darryl
- Thread starter
- #3
- Thread starter
- #4
I think it has somthing to do with the way we are delegating control, the lower level ou's are not inheriting everything that they should. I will try to move a computer account from one container to another. I always get accessed denied, even though it says full control on the ou and it also says that it is inherited. The way I have to do it right now is if I go into that computer accounts properties I then can select full control and be able to move the account no problems. No matter what we do, all computer accounts basicly have no permissions for the group that was delegated full control. I would really like to get this working.
- Thread starter
- #5
Update
Ok I still do not have this working correctly, we sort of figured out that the objects in the ou's are not inheriting the permisions. For example, we have a ou for workstations and inside that ou is 2 other ou's for laptops and desktops. If I join the domain and move the computer account into the desktop ou i no longer have any permsions on that object. The security tab shows the _IT Dept group having no rights..BUT I do have the permission to assign _IT Dept full control on that computer account and then I can move it around again. So at some point full control for _IT Dept gets lost. Any help would be great. Thanks
Ok I still do not have this working correctly, we sort of figured out that the objects in the ou's are not inheriting the permisions. For example, we have a ou for workstations and inside that ou is 2 other ou's for laptops and desktops. If I join the domain and move the computer account into the desktop ou i no longer have any permsions on that object. The security tab shows the _IT Dept group having no rights..BUT I do have the permission to assign _IT Dept full control on that computer account and then I can move it around again. So at some point full control for _IT Dept gets lost. Any help would be great. Thanks
NetIntruder
MIS
based on what i read here, i'm guessing that you upgraded from NT4 to 200x?...
I experienced the same issue when I did the upgrade on all existing objects (new ones were fine though), so I wrote a script to set all objects to inheret properly. If this is the case for you, let me know and I'll try to dig that script up.
~Intruder~
CEH, MCSA/MCSE 2000/2003
"The Less You Do, The Less Can Go Wrong"
I experienced the same issue when I did the upgrade on all existing objects (new ones were fine though), so I wrote a script to set all objects to inheret properly. If this is the case for you, let me know and I'll try to dig that script up.
~Intruder~
CEH, MCSA/MCSE 2000/2003
"The Less You Do, The Less Can Go Wrong"
- Thread starter
- #7
NetIntruder
MIS
ok, i'll dig them up for you and post them... time to search my scripts archives
~Intruder~
CEH, MCSA/MCSE 2000/2003
"The Less You Do, The Less Can Go Wrong"
~Intruder~
CEH, MCSA/MCSE 2000/2003
"The Less You Do, The Less Can Go Wrong"
- Status
Similar threads
- Locked
- Question
- Locked
- Question