Solved

Permissions to delete a Computer Account

Posted on 2011-02-22
12
761 Views
Last Modified: 2012-05-11
I am trying to set up a member of my Help Desk to be able to delete a computer account in AD. I am using the new delegation wizard inf file. I granted permissions on the OU that contains the computer object the Delete Computer Objects right. The right applies to all objects in the Container yet they still get access denied when trying to delete a Computer object. What other rights are needed?
0
Comment
Question by:osiexchange
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954388
post a picture of the permissions list please
0
 
LVL 3

Expert Comment

by:KCarney81
ID: 34954394
schema admin
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954404
Are you saying that you have to be a schema admin to delete a computer account? If so, that is not correct.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:osiexchange
ID: 34954457
When I right click on the OU and select Properties, then the Security tab. I have a test account in the list. I select that and then select Advanced. In the Permissions entries window, I have one entry for the test account. Type is allow. Permission is Delete. Apply to is Computer Objects. This is when I used the delegation wizard. I can do it manually if I knew what permissions to add.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954479
And you don't have any other pemissions?

The only thing that needs to be checked is the "Delete Computer Objects" permission. It should be set to allowed.

Is that correcly set?
0
 

Author Comment

by:osiexchange
ID: 34954530
Yes, it is. No other permissions are checked. THis is the actual error:

You do not have sufficient privledges to delete.
CN=msmq,CN=workstation01,OU=DisabledComputers,DC=Domain,DC=com.

What is msmq?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954570
Common Name. That should be the name of the computer that is being deleted. I don't know why you have 2 CNs though...
0
 

Author Comment

by:osiexchange
ID: 34954588
It looks like MSMQ (Microsoft Message Queue) is a child of the Computer object. I can't tell if its complaining about not having rights to delete the computer object or the child of the computer.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954600
On the computer object itself, do you see the delete permission?
0
 

Author Comment

by:osiexchange
ID: 34954740
Yeah, right on the object itself. I look at the Security tab. I have just about every delete permmission when you look at the effective rights. Do I need something stupid like the right to remove a computer from the Domain. I am deleting it, not actually removing it.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 500 total points
ID: 34955174
You only need delete. Request attention to this question. Another expert may be able to help.
0
 

Author Comment

by:osiexchange
ID: 34957124
I found out through trial and error that it was the child object of the workstation account, the cn=msmq object that is causing the access denied. Just about all of our workstation accounts have this. Not sure where it came from. I am currently trying to figure out what permiissions I need to configure to allow deletion of this child object.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AD 20012 r2 / vmware horizon 6 37
Server 2008 R2 and Windows 10 Admin Templates 7 38
Duplicate SPN records 4 19
Admin account lockout 10 39
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question