• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

Need to grant specific rights to computer objects in AD

I am trying to come up with a way to allow Help Desk staff to Add/Remove/Move Computer objects in AD.By move I mean move from one OU to another. I was looking at the Delegation Wizard in ADUC but could not figure it out. I want just these rights and nothing else so if I add a Help Desk member to a group I delegated rights to, that is all they can do.
1 Solution
You can follow the steps in this link to allow them to add the computers to the doamin. I would recommend creating a secuirty group and adding the group to the GPO.  Then add all your help desk users to that group.

Mike KlineCommented:
You will probably have to go granular into the ACL (not a default choice in the delegation control wizard)  

You can extend the delegation control wizard   http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

...not at my lab right now so not sure if move computer objects is one that is added there.

osiexchangeAuthor Commented:
The newer inf file does add a lot of rights from the default but I did not see anythingi in there about moving a computer object. The miicrosoft article seems to cover moving and removing but not adding.

Do you know if chaniging the inf file does anything to rights already delegated using the old inf file?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now