Share via

Permissions to move accounts

David Zemdegs 1,591 Reputation points
2023-10-06T00:25:43.2566667+00:00

I found several sites that detailed permissions required to move accounts in AD.

e.g. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772637(v=ws.10)

I have granted those permissions but still get access denied.

This is what I have done:

A scheduled script is run using account 'scriptacct'.

This script moves group 'testgroup' from 'sourceOU' to 'DestOU'.

The permissions are set for acct 'scriptacct' as follows:

Create/delete groups on both sourceOU and DestOU (CC and DC).

Write property for CN and RDN on both sourceOU and DestOU (known as 'name' and 'Name' in ADAC).

That's the only permissions I thought I needed but dont seem to be enough?

Thanks

David Z

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,642 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Zemdegs 1,591 Reputation points
    2023-10-06T01:50:34.6566667+00:00

    Got it. Turns out the above link was wrong.

    Also, this wiki leak is wrong:

    https://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx

    I noted the last comment and then added the 'delete' permission on descendant group objects and it worked!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.