compdigit44
asked on
Permission Problems with Windows 2000 Delegration Control - - URGENT
Right now from the root of my Winodws 2000 AD domain I just used the Delegation wizard to give my HD user the ability to "Join a computer to the domain" which works. THe HD user tried to move this computer to a different OU and got accessed denied. They need to be able to move computer objects to different OU's. What Delegration Wizards selections/permission do I need to grant this groups the abilty to do this..
Please help.....
Please help.....
zrobinson
Use the "Computer Objects" Check box in the delegate control wizard.
ASKER
Ok, but what do I select under the permissoin box for the Computer objects?
a move is a delete and an add. I know seems strange but that it what I found.
Mark
Apologies, I misunderstood. If the user can create computer objects by joining them to the domain (or if you have pre-provisioned the computer accounts) You need to grant the user the permission to create computer accounts within an OU. Delegation Control Wizard > Organizational Unit Objects > check Creation / deletion of specific child objects > Check Create Computer Objects
I hit the enter button too quickly... Wishing for an edit button.
You also need to check Delete Computer Objects, as markpalinux stated.
You also need to check Delete Computer Objects, as markpalinux stated.
Yes - Basically, they need the permissions to be able to Create objects in the OU you're moving TO, and Delete objects in the container you're moving FROM.
Delegate these rights to the correct OUs and your user will be able to move objects between them... :)
Pete
Delegate these rights to the correct OUs and your user will be able to move objects between them... :)
Pete
ASKER
I need to do this from the domai n level will this make a difference?
Nope, that should apply to any OU in the domain via inherited permissions.
ASKER
I don't understand why I need to grant the delete permission to the computer object when I just want to grant my help desk user the ability to add a workstation to the domain and move it to a OU that's ut I do not want them delete computer objects fro AD..
please explain
please explain
The way that active directory logically looks at a move is to "delete" the computer object from the OU you are moving FROM and "create" the computer object in the OU you are moving to.
This article has more detailed information, but confirms this AD "logic"
http://support.microsoft.com/kb/818091
This article has more detailed information, but confirms this AD "logic"
http://support.microsoft.com/kb/818091
ASKER
is it possible to grant a user the ability to move computer accounts in ad BUT not be able to join them to a domian
There is a round-about way of doing it, but is that what you're really trying to accomplish?
ASKER
I'm still having a hard time understand WHY the delete permission is need when I just want to move a computer account...I'm having a mental block
That is the way microsoft designed it.
Lets say you want to move the computer account from OU X to OU Y.
You have to take away the computer FROM OU X, thus, deleting it from that OU, and TO OU Y, thereby creating it within the OU. While the computer account does not actually get deleted or created persay, this is just how the logic of it works.
Lets say you want to move the computer account from OU X to OU Y.
You have to take away the computer FROM OU X, thus, deleting it from that OU, and TO OU Y, thereby creating it within the OU. While the computer account does not actually get deleted or created persay, this is just how the logic of it works.
ASKER
FOr my helpdesk group I select the Computer object then select under permissions "create & delete all child object" yet they are still gettgin access denied when they try to move a computer account
Are you using the Delegation of control wizard?
ASKER
yes
So you've basically done this -
Delegate Control Wizzard >
Selected your security group >
Created a custom task to delegate >
Only the following objects in the folder >
Computer Objects >
Check Create and Delete selected objects in this folder?
Delegate Control Wizzard >
Selected your security group >
Created a custom task to delegate >
Only the following objects in the folder >
Computer Objects >
Check Create and Delete selected objects in this folder?
ASKER
Yes.. I just read an article online that I needed to add the Write Object permissons as well..
I just did this and I'm going to help my user test it out..
I just did this and I'm going to help my user test it out..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ah ok, good luck, there should be no other steps involved... :)
Pete
Pete
ASKER
It works NOW!!!!!!!!!!!!!! :-)
Sorry, Just got back to my desk. Glad all is well.