Delegate help desk users permission to move users and computers object to OU on entire domain

abraham flores 241 Reputation points
2022-08-18T23:03:21.673+00:00

Hi, I have created a delegated permissions to allow help desk users to move users/computers to differen OUs,but I got this kind of messages: ![232655-image.png][1] For computers I applied these permissions, with almost the same message: ![232627-image.png][2] I also looked up some information that recommends to disable "protect object from accidental deletion" on the OUs, but it did not work. I tested with different permission but non of them are working. Is there anything else I can apply? [1]: /api/attachments/232655-image.png?platform=QnA [2]: /api/attachments/232627-image.png?platform=QnA

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,840 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Gary Reynolds 9,391 Reputation points
    2022-08-21T11:41:21.93+00:00

    Hi

    To be able to move objects from one OU to another you needs to have rights to both create and delete of the object type in both the source and target OU. You will also need the rights to update the object properties. If you set these permissions on the top most OU all the child OUs will also inherit the permissions.

    There are a couple of options to delegate the permissions, you could provide the helpdesk team with full control over the user or computer objects and the child objects.

    233241-image.png

    233242-image.png

    This will grant the following permissions to the grp_MoveComputerObjets group on the top OU, this will be needed to be assigned on both the source and target OUs.

    233204-image.png

    This does assign more rights than is actually needed to move a computer or user objects. You can change the Full Control to Write all Properties by setting the permissions to this:

    233243-image.png

    Which results in these permissions:

    ![233225-image.png][6]

    If you want the absolute bear minimum permissions required, you only need write to the name and cn attributes to complete the move. These can't be set by the delegation wizard, and have to be set manually.

    233251-image.png

    Gary.

    1 person found this answer helpful.

  2. TJCooper 1 Reputation point
    2023-08-16T06:51:50.8666667+00:00

    I created a group and gave it the ability to write all properties as well as create/delete. I cannot move the object, I get access denied. Any ideas? I can move it OUT of an OU (I can move it to that OU).