Solved

Permission Problems with Windows 2000 Delegration Control - - URGENT

Posted on 2009-04-07
23
259 Views
Last Modified: 2012-05-06
Right now from the root of my Winodws 2000 AD domain I just used the Delegation wizard to give my HD user the ability to "Join a computer to the domain" which works. THe HD user tried to move this computer to a different OU and got accessed denied. They need to be able to move computer objects to different OU's. What Delegration Wizards selections/permission do I need to grant this groups the abilty to do this..

Please help.....
0
Comment
Question by:compdigit44
  • 9
  • 8
  • 5
  • +1
23 Comments
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088496
Use the "Computer Objects" Check box in the delegate control wizard.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24088518
Ok, but what do I select under the permissoin box for the Computer objects?
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 24088727

a move is a delete and an add. I know seems strange but that it what I found.

Mark
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088736
Apologies, I misunderstood.  If the user can create computer objects by joining them to the domain (or if you have pre-provisioned the computer accounts) You need to grant the user the permission to create computer accounts within an OU.  Delegation Control Wizard > Organizational Unit Objects > check Creation / deletion of specific child objects > Check Create Computer Objects

0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088752
I hit the enter button too quickly... Wishing for an edit button.

You also need to check Delete Computer Objects, as markpalinux stated.
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24088775
Yes - Basically, they need the permissions to be able to Create objects in the OU you're moving TO, and Delete objects in the container you're moving FROM.

Delegate these rights to the correct OUs and your user will be able to move objects between them... :)

Pete
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24088874
I need to do this from the domai n level will this make a difference?
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24088918
Nope, that should apply to any OU in the domain via inherited permissions.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24089462
I don't understand why I need to grant the delete permission to the computer object when I just want to grant my help desk user the ability to add a workstation to the domain and move it to a OU that's ut I do not want them delete computer objects fro AD..

please explain
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24089580
The way that active directory logically looks at a move is to "delete" the computer object from the OU you are moving FROM and "create" the computer object in the OU you are moving to.  

This article has more detailed information, but confirms this AD "logic"

http://support.microsoft.com/kb/818091
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24089613
is it possible to grant a user the ability to move computer accounts in ad BUT not be able to join them to a domian
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 3

Expert Comment

by:zrobinson
ID: 24089713
There is a round-about way of doing it, but is that what you're really trying to accomplish?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24089814
I'm still having a hard time understand WHY the delete permission is need when I just want to move a computer account...I'm having a mental block
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24089868
That is the way microsoft designed it.

Lets say you want to move the computer account from OU X to OU Y.

You have to take away the computer FROM OU X, thus, deleting it from that OU, and TO OU Y, thereby creating it within the OU.  While the computer account does not actually get deleted or created persay, this is just how the logic of it works.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24090387
FOr my helpdesk group I select the Computer object then select under permissions "create & delete all child object" yet they are still gettgin access denied when they try to move a computer account
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24090534
Are you using the Delegation of control wizard?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24090581
yes
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24090651
So you've basically done this -

Delegate Control Wizzard >
Selected your security group >
Created a custom task to delegate >
Only the following objects in the folder >
Computer Objects >
Check Create and Delete selected objects in this folder?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24090676
Yes.. I just read an article online that I needed to add the Write Object permissons as well..

I just did this and I'm going to help my user test it out..
0
 
LVL 19

Accepted Solution

by:
PeteJThomas earned 500 total points
ID: 24090684
I believe you need 3 permissions to move an object between OUs -

1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and
CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
org units).
3) CREATE_CHILD on the destination container.

Source - http://blog.joeware.net/2005/07/17/48/
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 24090694
Ah ok, good luck, there should be no other steps involved... :)

Pete
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24090730
It works NOW!!!!!!!!!!!!!! :-)
0
 
LVL 3

Expert Comment

by:zrobinson
ID: 24090910
Sorry, Just got back to my desk.  Glad all is well.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now