Solved

Permissions to delete a Computer Account

Posted on 2011-02-22
12
759 Views
Last Modified: 2012-05-11
I am trying to set up a member of my Help Desk to be able to delete a computer account in AD. I am using the new delegation wizard inf file. I granted permissions on the OU that contains the computer object the Delete Computer Objects right. The right applies to all objects in the Container yet they still get access denied when trying to delete a Computer object. What other rights are needed?
0
Comment
Question by:osiexchange
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954388
post a picture of the permissions list please
0
 
LVL 3

Expert Comment

by:KCarney81
ID: 34954394
schema admin
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954404
Are you saying that you have to be a schema admin to delete a computer account? If so, that is not correct.
0
 

Author Comment

by:osiexchange
ID: 34954457
When I right click on the OU and select Properties, then the Security tab. I have a test account in the list. I select that and then select Advanced. In the Permissions entries window, I have one entry for the test account. Type is allow. Permission is Delete. Apply to is Computer Objects. This is when I used the delegation wizard. I can do it manually if I knew what permissions to add.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954479
And you don't have any other pemissions?

The only thing that needs to be checked is the "Delete Computer Objects" permission. It should be set to allowed.

Is that correcly set?
0
 

Author Comment

by:osiexchange
ID: 34954530
Yes, it is. No other permissions are checked. THis is the actual error:

You do not have sufficient privledges to delete.
CN=msmq,CN=workstation01,OU=DisabledComputers,DC=Domain,DC=com.

What is msmq?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954570
Common Name. That should be the name of the computer that is being deleted. I don't know why you have 2 CNs though...
0
 

Author Comment

by:osiexchange
ID: 34954588
It looks like MSMQ (Microsoft Message Queue) is a child of the Computer object. I can't tell if its complaining about not having rights to delete the computer object or the child of the computer.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954600
On the computer object itself, do you see the delete permission?
0
 

Author Comment

by:osiexchange
ID: 34954740
Yeah, right on the object itself. I look at the Security tab. I have just about every delete permmission when you look at the effective rights. Do I need something stupid like the right to remove a computer from the Domain. I am deleting it, not actually removing it.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 500 total points
ID: 34955174
You only need delete. Request attention to this question. Another expert may be able to help.
0
 

Author Comment

by:osiexchange
ID: 34957124
I found out through trial and error that it was the child object of the workstation account, the cn=msmq object that is causing the access denied. Just about all of our workstation accounts have this. Not sure where it came from. I am currently trying to figure out what permiissions I need to configure to allow deletion of this child object.
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now