Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Permissions to delete a Computer Account

Posted on 2011-02-22
12
762 Views
Last Modified: 2012-05-11
I am trying to set up a member of my Help Desk to be able to delete a computer account in AD. I am using the new delegation wizard inf file. I granted permissions on the OU that contains the computer object the Delete Computer Objects right. The right applies to all objects in the Container yet they still get access denied when trying to delete a Computer object. What other rights are needed?
0
Comment
Question by:osiexchange
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954388
post a picture of the permissions list please
0
 
LVL 3

Expert Comment

by:KCarney81
ID: 34954394
schema admin
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954404
Are you saying that you have to be a schema admin to delete a computer account? If so, that is not correct.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:osiexchange
ID: 34954457
When I right click on the OU and select Properties, then the Security tab. I have a test account in the list. I select that and then select Advanced. In the Permissions entries window, I have one entry for the test account. Type is allow. Permission is Delete. Apply to is Computer Objects. This is when I used the delegation wizard. I can do it manually if I knew what permissions to add.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954479
And you don't have any other pemissions?

The only thing that needs to be checked is the "Delete Computer Objects" permission. It should be set to allowed.

Is that correcly set?
0
 

Author Comment

by:osiexchange
ID: 34954530
Yes, it is. No other permissions are checked. THis is the actual error:

You do not have sufficient privledges to delete.
CN=msmq,CN=workstation01,OU=DisabledComputers,DC=Domain,DC=com.

What is msmq?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954570
Common Name. That should be the name of the computer that is being deleted. I don't know why you have 2 CNs though...
0
 

Author Comment

by:osiexchange
ID: 34954588
It looks like MSMQ (Microsoft Message Queue) is a child of the Computer object. I can't tell if its complaining about not having rights to delete the computer object or the child of the computer.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954600
On the computer object itself, do you see the delete permission?
0
 

Author Comment

by:osiexchange
ID: 34954740
Yeah, right on the object itself. I look at the Security tab. I have just about every delete permmission when you look at the effective rights. Do I need something stupid like the right to remove a computer from the Domain. I am deleting it, not actually removing it.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 500 total points
ID: 34955174
You only need delete. Request attention to this question. Another expert may be able to help.
0
 

Author Comment

by:osiexchange
ID: 34957124
I found out through trial and error that it was the child object of the workstation account, the cn=msmq object that is causing the access denied. Just about all of our workstation accounts have this. Not sure where it came from. I am currently trying to figure out what permiissions I need to configure to allow deletion of this child object.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question