<div>
To add, it looks like you are using one-way delegation and not two-way.
</div>


<div>
I went in and added &quot;Full Control&quot; for the group to the entire OU, which if I understand correctly, would grant both of those rights. No?
</div>


<div>
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
</div>


<div>
<div class="content wysiwyg-content">
A group of technicians have been granted all delegation permissions over an OU. When they move Computer objects into the OU, they are unable to move those objects back out again. Any time they attempt to move the computer objects into a sub-OU (that also has Full Control), they receive &quot;Access Denied&quot; errors.<br />
<br />
When I look at the permissions of the OU, the users have &quot;Full Control&quot; over the OU. When I look at the computer objects inside the OU, the users' effective permissions are only &quot;Read&quot; on the object itself. It seems to me that the object is not inheriting permissions from the parent OU.<br />
<br />
The users are able to create new Computer objects in both the origin and target OUs, and they can delete existing objects in both as well. They're simply unable to move them from one to the other.<br />
<br />
Not sure where to start with this one. Any help would be appreciated. Thanks.
</div>
</div>


A group of technicians have been granted all delegation permissions over an OU. When they move Computer objects into the OU, they are unable to move those objects back out again. Any time they attempt to move the computer objects into a sub-OU (that also has Full Control), they receive "Access Denied" errors.

When I look at the permissions of the OU, the users have "Full Control" over the OU. When I look at the computer objects inside the OU, the users' effective permissions are only "Read" on the object itself. It seems to me that the object is not inheriting permissions from the parent OU.

The users are able to create new Computer objects in both the origin and target OUs, and they can delete existing objects in both as well. They're simply unable to move them from one to the other.

Not sure where to start with this one. Any help would be appreciated. Thanks.

Permissions for computer objects are not inheriting from OU

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.