Solved

Permissions to delete a Computer Account

Posted on 2011-02-22
12
767 Views
Last Modified: 2012-05-11
I am trying to set up a member of my Help Desk to be able to delete a computer account in AD. I am using the new delegation wizard inf file. I granted permissions on the OU that contains the computer object the Delete Computer Objects right. The right applies to all objects in the Container yet they still get access denied when trying to delete a Computer object. What other rights are needed?
0
Comment
Question by:osiexchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954388
post a picture of the permissions list please
0
 
LVL 3

Expert Comment

by:KCarney81
ID: 34954394
schema admin
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954404
Are you saying that you have to be a schema admin to delete a computer account? If so, that is not correct.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:osiexchange
ID: 34954457
When I right click on the OU and select Properties, then the Security tab. I have a test account in the list. I select that and then select Advanced. In the Permissions entries window, I have one entry for the test account. Type is allow. Permission is Delete. Apply to is Computer Objects. This is when I used the delegation wizard. I can do it manually if I knew what permissions to add.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954479
And you don't have any other pemissions?

The only thing that needs to be checked is the "Delete Computer Objects" permission. It should be set to allowed.

Is that correcly set?
0
 

Author Comment

by:osiexchange
ID: 34954530
Yes, it is. No other permissions are checked. THis is the actual error:

You do not have sufficient privledges to delete.
CN=msmq,CN=workstation01,OU=DisabledComputers,DC=Domain,DC=com.

What is msmq?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954570
Common Name. That should be the name of the computer that is being deleted. I don't know why you have 2 CNs though...
0
 

Author Comment

by:osiexchange
ID: 34954588
It looks like MSMQ (Microsoft Message Queue) is a child of the Computer object. I can't tell if its complaining about not having rights to delete the computer object or the child of the computer.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954600
On the computer object itself, do you see the delete permission?
0
 

Author Comment

by:osiexchange
ID: 34954740
Yeah, right on the object itself. I look at the Security tab. I have just about every delete permmission when you look at the effective rights. Do I need something stupid like the right to remove a computer from the Domain. I am deleting it, not actually removing it.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 500 total points
ID: 34955174
You only need delete. Request attention to this question. Another expert may be able to help.
0
 

Author Comment

by:osiexchange
ID: 34957124
I found out through trial and error that it was the child object of the workstation account, the cn=msmq object that is causing the access denied. Just about all of our workstation accounts have this. Not sure where it came from. I am currently trying to figure out what permiissions I need to configure to allow deletion of this child object.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question