Principle of least privilege - Delegate rights to move between OUs - Active Directory

Question

Hi, I´ve been having trouble delegating rights to a non-admin user.

He should have to be able to move Computer Objects between delegated OU´s with minimum rights.

I got the following solution working:

• Delegate a custom Task, on source and destination OU
• Applied to: only Computer Objects in a folder, including Create/Delete selected Objects in this folder
• Permissions: Write All Properties

Now the part that is bothering us, the "Write all Properties" Flag...

Respecting the Principle of least privilege we would like to apply only the necessary and mandatory Write Permissions for Properties.

I know that not all Write permissions are necessary, since I removed some at random and moving Objects was still possible. But it got a bit tedious removing single permissions and trying if I can still move Objects.

Which minimum "Write Properties" permissions are required, for moving Computers between OU´s?

Domain and Forest Level: Windows Server 2016
DC OS Version: Windows 2019

Answer 1

Hi @John Coll

Have a look at this post which has the details of the default and the minimum permissions required to move objects between OUs.

https://learn.microsoft.com/en-us/answers/questions/973272/delegate-help-desk-users-permission-to-move-users.html

Gary.

Answer 2

Hey thanks for your reply, I was able to move objects with minimal rights.

However i couldnt find a permission with the Name "Write cn" but rather "Write Name" and "Write name"

Afer setting both, I was able to move the Objects