This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I found several sites that detailed permissions required to move accounts in AD.
I have granted those permissions but still get access denied.
This is what I have done:
A scheduled script is run using account 'scriptacct'.
This script moves group 'testgroup' from 'sourceOU' to 'DestOU'.
The permissions are set for acct 'scriptacct' as follows:
Create/delete groups on both sourceOU and DestOU (CC and DC).
Write property for CN and RDN on both sourceOU and DestOU (known as 'name' and 'Name' in ADAC).
That's the only permissions I thought I needed but dont seem to be enough?
Thanks
David Z
Forgot to add that the account also has write DN permissions on both source and dest OUs.
Got it. Turns out the above link was wrong.
Also, this wiki leak is wrong:
I noted the last comment and then added the 'delete' permission on descendant group objects and it worked!
edited
Further to the above - You do not need the 'Delete Group Objects' permission - just the 'Delete' on descendant group objects. That tells me the 'Delete <objecttype> permission' doesnt work!