Link to home
Create AccountLog in
Avatar of Simon336697
Simon336697Flag for Australia

asked on

Using Dsacls to assign a user the right move users from OU1 to OU2

Hi everyone hope you are all well.
Guys I'm having trouble with the following.

I need to assign the user Bob, the right to move user accounts from OU1 to OU2.

This is what I thought Bob would need:

DC (Delete Child) permission on the OU named 'OU1' for user accounts.
CC (Create Child) permission on the OU named 'OU2' for user accounts.

I run the following 2 Dsacls commands:
Dsacls <path to OU1> /G domain1\Bob:DC;user
Dsacls <path to OU2> /G domain1\Bob:CC;user

I then test out whether Bob can move a user from OU1 to OU2, and it fails with an Access Denied.

Guys what am I missing here?
I thought all I would need for bob is the ability to delete the account in OU1 and the ability to create it again in the OU2.

Any help greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of Venugopal N
Venugopal N
Flag of India image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Simon336697

ASKER

Hi there Venurajav, thanks for that link...it is a good link but a bit hard to follow since it does not explicitly tell you what rights are needed from a source and destination OU.
Im still having issues undertstanding why a move of a user object requires WRITE PERMISSION on the SOURCE OU. I thought it would only need Delete child. But when I do this, I get Access Denied.