AD Computer Move Only Permissions Not Working

Question

AD Computer Move Only Permissions Not Working

TJ Cooper 26

I have set permissions for a security group to create/delete computer objects in an OU and set "write all properties" (to troubleshoot) and I cannot move the computer of an OU. I get an "access denied" error. I have verified create/delete is set as is write name, Name, and DistinguishedName. That is all that is required as per what I have found online.

Write All Properties is set to "Descendent Computer Objects"

Create/Delete computer objects is set to "This object and all descent objects"

Any ideas? What am I missing

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Anonymous

2023-08-17T07:16:27.2266667+00:00

Hello TJ Cooper,

Thank you for posting in our Q&A forum.

I think it should be the issue.

Because during we configure the delegation permission, we should check the box before "Create selected objects in this folder" and "Delete selected objects in this folder".

Reference:
https://itadminguide.com/delegate-move-computer-objects-from-one-ou-to-another/#:~:text=The%20steps%20involved%20to%20set%20delegation%20for%20a,In%20the%20Delegation%20of%20Control%20Wizard%2C%20click%20Next

Best Regards,
Daisy Zhou
TJCooper 1 Reputation point

2023-08-17T14:26:11.6366667+00:00

I saw that page. The permissions were setup correctly, I triple checked it. The same issue was happening on the accounts and workstation OU(s). Once I unchecked Everyone Deny "delete child object" it worked on both OU(s). I had it setup correctly and so I knew there had to be a deny somewhere.

1 answer

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Anonymous

2023-08-17T07:16:27.2266667+00:00

Hello TJ Cooper,

Thank you for posting in our Q&A forum.

I think it should be the issue.

Because during we configure the delegation permission, we should check the box before "Create selected objects in this folder" and "Delete selected objects in this folder".

Reference:
https://itadminguide.com/delegate-move-computer-objects-from-one-ou-to-another/#:~:text=The%20steps%20involved%20to%20set%20delegation%20for%20a,In%20the%20Delegation%20of%20Control%20Wizard%2C%20click%20Next

Best Regards,
Daisy Zhou
TJCooper 1 Reputation point

2023-08-17T14:26:11.6366667+00:00

I saw that page. The permissions were setup correctly, I triple checked it. The same issue was happening on the accounts and workstation OU(s). Once I unchecked Everyone Deny "delete child object" it worked on both OU(s). I had it setup correctly and so I knew there had to be a deny somewhere.

Answer 1

Gary Reynolds 9,621

Hi,

Have a look at this answer, make sure you have set the permissions on both the source and destination OUs - https://learn.microsoft.com/en-us/answers/questions/973272/delegate-help-desk-users-permission-to-move-users?comment=answer-975344&page=1#comment-1349105

Have a look at this article which will help identify the effective permissions for both the OUs and computer objects - https://nettools.net/how-to-find-active-directory-effective-rights/

I would also check that you have unchecked the accidental deletion options from the OU.

User's image

Gary,

TJCooper 1 Reputation point

2023-08-16T13:58:46.01+00:00

I did all that. I set create/delete and write all properties, and accidental deletion is not checked. I verified write name, Name, and distinguished name is checked. I followed the instructions in the link you posted.
TJCooper 1 Reputation point

2023-08-16T14:45:29.6933333+00:00

There was a "delete child objects" Deny on everyone. I think that was blocking it. I unchecked it and I was able to move it.
Gary Reynolds 9,621 Reputation points

2023-08-16T21:36:14.8+00:00

That permission is part of the accidental deletion protection. For some reason the UI and permissions are out of sync.
TJCooper 1 Reputation point

2023-08-17T15:13:27.4333333+00:00

Are you sure? Why would it apply to child objects?
TJCooper 1 Reputation point

2023-08-17T15:20:31.4466667+00:00

I used powsershell to check if protectedfromaccidental deletion was checked and it still is and I have the everyone deny unchecked. I dont think they are the same setting.
Gary Reynolds 9,621 Reputation points

2023-08-20T22:41:18.9833333+00:00

The accidental deletion sets two permissions, delete and delete subtree, for Everyone; this is usually set on a single ACE; however, if one of the rights is removed or set in two separate ACEs, then ADUC UI will not show the check on the Object tab.

If you had a separate ACE which denied Delete All Child, then this wasn't part of the accidental deletion and was set by something or someone else.

Gary.

Share via

AD Computer Move Only Permissions Not Working

1 answer

Your answer