Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 270
  • Last Modified:

Permission Problems with Windows 2000 Delegration Control - - URGENT

Right now from the root of my Winodws 2000 AD domain I just used the Delegation wizard to give my HD user the ability to "Join a computer to the domain" which works. THe HD user tried to move this computer to a different OU and got accessed denied. They need to be able to move computer objects to different OU's. What Delegration Wizards selections/permission do I need to grant this groups the abilty to do this..

Please help.....
0
compdigit44
Asked:
compdigit44
  • 9
  • 8
  • 5
  • +1
1 Solution
 
zrobinsonCommented:
Use the "Computer Objects" Check box in the delegate control wizard.
0
 
compdigit44Author Commented:
Ok, but what do I select under the permissoin box for the Computer objects?
0
 
markpalinuxCommented:

a move is a delete and an add. I know seems strange but that it what I found.

Mark
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
zrobinsonCommented:
Apologies, I misunderstood.  If the user can create computer objects by joining them to the domain (or if you have pre-provisioned the computer accounts) You need to grant the user the permission to create computer accounts within an OU.  Delegation Control Wizard > Organizational Unit Objects > check Creation / deletion of specific child objects > Check Create Computer Objects

0
 
zrobinsonCommented:
I hit the enter button too quickly... Wishing for an edit button.

You also need to check Delete Computer Objects, as markpalinux stated.
0
 
PeteJThomasCommented:
Yes - Basically, they need the permissions to be able to Create objects in the OU you're moving TO, and Delete objects in the container you're moving FROM.

Delegate these rights to the correct OUs and your user will be able to move objects between them... :)

Pete
0
 
compdigit44Author Commented:
I need to do this from the domai n level will this make a difference?
0
 
zrobinsonCommented:
Nope, that should apply to any OU in the domain via inherited permissions.
0
 
compdigit44Author Commented:
I don't understand why I need to grant the delete permission to the computer object when I just want to grant my help desk user the ability to add a workstation to the domain and move it to a OU that's ut I do not want them delete computer objects fro AD..

please explain
0
 
zrobinsonCommented:
The way that active directory logically looks at a move is to "delete" the computer object from the OU you are moving FROM and "create" the computer object in the OU you are moving to.  

This article has more detailed information, but confirms this AD "logic"

http://support.microsoft.com/kb/818091
0
 
compdigit44Author Commented:
is it possible to grant a user the ability to move computer accounts in ad BUT not be able to join them to a domian
0
 
zrobinsonCommented:
There is a round-about way of doing it, but is that what you're really trying to accomplish?
0
 
compdigit44Author Commented:
I'm still having a hard time understand WHY the delete permission is need when I just want to move a computer account...I'm having a mental block
0
 
zrobinsonCommented:
That is the way microsoft designed it.

Lets say you want to move the computer account from OU X to OU Y.

You have to take away the computer FROM OU X, thus, deleting it from that OU, and TO OU Y, thereby creating it within the OU.  While the computer account does not actually get deleted or created persay, this is just how the logic of it works.
0
 
compdigit44Author Commented:
FOr my helpdesk group I select the Computer object then select under permissions "create & delete all child object" yet they are still gettgin access denied when they try to move a computer account
0
 
PeteJThomasCommented:
Are you using the Delegation of control wizard?
0
 
compdigit44Author Commented:
yes
0
 
PeteJThomasCommented:
So you've basically done this -

Delegate Control Wizzard >
Selected your security group >
Created a custom task to delegate >
Only the following objects in the folder >
Computer Objects >
Check Create and Delete selected objects in this folder?
0
 
compdigit44Author Commented:
Yes.. I just read an article online that I needed to add the Write Object permissons as well..

I just did this and I'm going to help my user test it out..
0
 
PeteJThomasCommented:
I believe you need 3 permissions to move an object between OUs -

1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and
CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
org units).
3) CREATE_CHILD on the destination container.

Source - http://blog.joeware.net/2005/07/17/48/
0
 
PeteJThomasCommented:
Ah ok, good luck, there should be no other steps involved... :)

Pete
0
 
compdigit44Author Commented:
It works NOW!!!!!!!!!!!!!! :-)
0
 
zrobinsonCommented:
Sorry, Just got back to my desk.  Glad all is well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 9
  • 8
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now