?
Solved

Permissions to delete a Computer Account

Posted on 2011-02-22
12
Medium Priority
?
769 Views
Last Modified: 2012-05-11
I am trying to set up a member of my Help Desk to be able to delete a computer account in AD. I am using the new delegation wizard inf file. I granted permissions on the OU that contains the computer object the Delete Computer Objects right. The right applies to all objects in the Container yet they still get access denied when trying to delete a Computer object. What other rights are needed?
0
Comment
Question by:osiexchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954388
post a picture of the permissions list please
0
 
LVL 3

Expert Comment

by:KCarney81
ID: 34954394
schema admin
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954404
Are you saying that you have to be a schema admin to delete a computer account? If so, that is not correct.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:osiexchange
ID: 34954457
When I right click on the OU and select Properties, then the Security tab. I have a test account in the list. I select that and then select Advanced. In the Permissions entries window, I have one entry for the test account. Type is allow. Permission is Delete. Apply to is Computer Objects. This is when I used the delegation wizard. I can do it manually if I knew what permissions to add.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954479
And you don't have any other pemissions?

The only thing that needs to be checked is the "Delete Computer Objects" permission. It should be set to allowed.

Is that correcly set?
0
 

Author Comment

by:osiexchange
ID: 34954530
Yes, it is. No other permissions are checked. THis is the actual error:

You do not have sufficient privledges to delete.
CN=msmq,CN=workstation01,OU=DisabledComputers,DC=Domain,DC=com.

What is msmq?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954570
Common Name. That should be the name of the computer that is being deleted. I don't know why you have 2 CNs though...
0
 

Author Comment

by:osiexchange
ID: 34954588
It looks like MSMQ (Microsoft Message Queue) is a child of the Computer object. I can't tell if its complaining about not having rights to delete the computer object or the child of the computer.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 34954600
On the computer object itself, do you see the delete permission?
0
 

Author Comment

by:osiexchange
ID: 34954740
Yeah, right on the object itself. I look at the Security tab. I have just about every delete permmission when you look at the effective rights. Do I need something stupid like the right to remove a computer from the Domain. I am deleting it, not actually removing it.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 2000 total points
ID: 34955174
You only need delete. Request attention to this question. Another expert may be able to help.
0
 

Author Comment

by:osiexchange
ID: 34957124
I found out through trial and error that it was the child object of the workstation account, the cn=msmq object that is causing the access denied. Just about all of our workstation accounts have this. Not sure where it came from. I am currently trying to figure out what permiissions I need to configure to allow deletion of this child object.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question