Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Permission Problems with Windows 2000 Delegration Control - - URGENT

Posted on 2009-04-07
23
Medium Priority
?
267 Views
Last Modified: 2012-05-06
Right now from the root of my Winodws 2000 AD domain I just used the Delegation wizard to give my HD user the ability to "Join a computer to the domain" which works. THe HD user tried to move this computer to a different OU and got accessed denied. They need to be able to move computer objects to different OU's. What Delegration Wizards selections/permission do I need to grant this groups the abilty to do this..

Please help.....
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 5
  • +1
23 Comments
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088496
Use the "Computer Objects" Check box in the delegate control wizard.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24088518
Ok, but what do I select under the permissoin box for the Computer objects?
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 24088727

a move is a delete and an add. I know seems strange but that it what I found.

Mark
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Expert Comment

by:zrobinson
ID: 24088736
Apologies, I misunderstood.  If the user can create computer objects by joining them to the domain (or if you have pre-provisioned the computer accounts) You need to grant the user the permission to create computer accounts within an OU.  Delegation Control Wizard > Organizational Unit Objects > check Creation / deletion of specific child objects > Check Create Computer Objects

0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088752
I hit the enter button too quickly... Wishing for an edit button.

You also need to check Delete Computer Objects, as markpalinux stated.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24088775
Yes - Basically, they need the permissions to be able to Create objects in the OU you're moving TO, and Delete objects in the container you're moving FROM.

Delegate these rights to the correct OUs and your user will be able to move objects between them... :)

Pete
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24088874
I need to do this from the domai n level will this make a difference?
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088918
Nope, that should apply to any OU in the domain via inherited permissions.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24089462
I don't understand why I need to grant the delete permission to the computer object when I just want to grant my help desk user the ability to add a workstation to the domain and move it to a OU that's ut I do not want them delete computer objects fro AD..

please explain
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24089580
The way that active directory logically looks at a move is to "delete" the computer object from the OU you are moving FROM and "create" the computer object in the OU you are moving to.  

This article has more detailed information, but confirms this AD "logic"

http://support.microsoft.com/kb/818091
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24089613
is it possible to grant a user the ability to move computer accounts in ad BUT not be able to join them to a domian
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24089713
There is a round-about way of doing it, but is that what you're really trying to accomplish?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24089814
I'm still having a hard time understand WHY the delete permission is need when I just want to move a computer account...I'm having a mental block
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24089868
That is the way microsoft designed it.

Lets say you want to move the computer account from OU X to OU Y.

You have to take away the computer FROM OU X, thus, deleting it from that OU, and TO OU Y, thereby creating it within the OU.  While the computer account does not actually get deleted or created persay, this is just how the logic of it works.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24090387
FOr my helpdesk group I select the Computer object then select under permissions "create & delete all child object" yet they are still gettgin access denied when they try to move a computer account
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24090534
Are you using the Delegation of control wizard?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24090581
yes
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24090651
So you've basically done this -

Delegate Control Wizzard >
Selected your security group >
Created a custom task to delegate >
Only the following objects in the folder >
Computer Objects >
Check Create and Delete selected objects in this folder?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24090676
Yes.. I just read an article online that I needed to add the Write Object permissons as well..

I just did this and I'm going to help my user test it out..
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 2000 total points
ID: 24090684
I believe you need 3 permissions to move an object between OUs -

1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and
CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
org units).
3) CREATE_CHILD on the destination container.

Source - http://blog.joeware.net/2005/07/17/48/
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24090694
Ah ok, good luck, there should be no other steps involved... :)

Pete
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24090730
It works NOW!!!!!!!!!!!!!! :-)
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24090910
Sorry, Just got back to my desk.  Glad all is well.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question