Moving Computer obj frm computer container to different OU

[Rockstar101]

Hello everyone,

I have Server 2003 and have been trying to figure out how to set the permissions to allow a group to move existing computers in the "computer" container into the appropriate OU under our "workstations" OU.

***This part doesn't work***
What I've done thus far is: Delegated full control over computer objects to Group X on the "workstations" OU and also set it to create/delete all child objects.

It still won't let users in that group create computer accts or Move computer acct from the computer conatiner into the "workstations" OU!

***This part works***
The computer container allows Group X to add computers to the container as well as delete.

Are there any setting I'm missing???

Thank you I really would appreciate any help I can get on this.

 

[sutors]

As long as group X has enought rights on computers container and the workstations OU, it should work.

Enable advanced features in ADUC so you can see security tabs. Then right click on computer object in each location and check effective permissions for group X. It's very possible that computer objects don't inheret your delegation right.

If you have full control for group X on particular OU, but this full control is only for "this object only", then you will see the exact behavior, meaning that you can create/delete objects but you cannot move objects there.

Instead of using delegation wizard, do a test and manually add the required right (or full control for testing purposes) to each location, make sure that "apply to" is set to "this object and all child objects".

Later on you can restrict it further, unless you're fine with full control for group X.

Lukasz

 

[Rockstar101]

Thanks Lukasz, I'll give it a shot, appreciate your help!