Simon336697
asked on
Using Dsacls to assign a user the right move users from OU1 to OU2
Hi everyone hope you are all well.
Guys I'm having trouble with the following.
I need to assign the user Bob, the right to move user accounts from OU1 to OU2.
This is what I thought Bob would need:
DC (Delete Child) permission on the OU named 'OU1' for user accounts.
CC (Create Child) permission on the OU named 'OU2' for user accounts.
I run the following 2 Dsacls commands:
Dsacls <path to OU1> /G domain1\Bob:DC;user
Dsacls <path to OU2> /G domain1\Bob:CC;user
I then test out whether Bob can move a user from OU1 to OU2, and it fails with an Access Denied.
Guys what am I missing here?
I thought all I would need for bob is the ability to delete the account in OU1 and the ability to create it again in the OU2.
Any help greatly appreciated.
Guys I'm having trouble with the following.
I need to assign the user Bob, the right to move user accounts from OU1 to OU2.
This is what I thought Bob would need:
DC (Delete Child) permission on the OU named 'OU1' for user accounts.
CC (Create Child) permission on the OU named 'OU2' for user accounts.
I run the following 2 Dsacls commands:
Dsacls <path to OU1> /G domain1\Bob:DC;user
Dsacls <path to OU2> /G domain1\Bob:CC;user
I then test out whether Bob can move a user from OU1 to OU2, and it fails with an Access Denied.
Guys what am I missing here?
I thought all I would need for bob is the ability to delete the account in OU1 and the ability to create it again in the OU2.
Any help greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Im still having issues undertstanding why a move of a user object requires WRITE PERMISSION on the SOURCE OU. I thought it would only need Delete child. But when I do this, I get Access Denied.