Solved

Cannot move computer obect between OU's

Posted on 2014-03-25
10
3,236 Views
Last Modified: 2014-03-31
I have two users who are members of a Global Security Group that I assigned permissions to Create/Delete Computer Objects for our entire Active Directory domain. However, they get the error message "Access is denied" when trying to move the objects. They can create a computer object in both OU's as well as delete them, just not move from one to the other. I even tried assigning explicit Create/Delete Computer Objects to the user which resulted in the same error message. I verified the permissions are replicated down to the individual OU's that they are trying to move computers in between. Is there some other permission I am missing?

AD Permissions
0
Comment
Question by:RankenIS
  • 6
  • 3
10 Comments
 
LVL 18

Expert Comment

by:Raheman M. Abdul
ID: 39953228
Check on each source and destination OU if you got the following :

1. Delete Child Objects of the Computer Class in the source OU
2. Create Child Objects of the Computer Class in the target OU
0
 

Author Comment

by:RankenIS
ID: 39953278
I just applied "Create all child objects" and "Delete all child objects" to the Descendant Computer Objects of each OU. I still get the access is denied error message.
0
 
LVL 18

Expert Comment

by:Raheman M. Abdul
ID: 39953318
1. Enable Advanced Features
2. Open computer properties then select Object tab  
3. Disable "Protect object from accidental deletion" option

I guess you are trying to move objects within a forest.
1
 

Author Comment

by:RankenIS
ID: 39953334
The OU's are in the same domain. I've tried different computer objects, even the objects the users just added to the domain. None of the computers objects have the attribute "Protect object from accidental deletion" enabled.
0
 
LVL 18

Expert Comment

by:Raheman M. Abdul
ID: 39953342
Logon to the server and check if you can move with the user accounts, there is something blocking the move.
0
 

Author Comment

by:RankenIS
ID: 39953360
Same result. I logged into the domain controller as one of the affected users.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39955345
Some confusion here

Are you trying to move computer objects from one OU to another
1st question is how those computers are get in those OUs as when you join the computers to domain, they will default created in Computers container

If you are trying to move these computers from default computer container, then permissions mentioned above must be granted to global group on default computers container as well, then only you can able to move them from default computers container to required OU
Also grant that global group "add workstation to domain" user rights through default domain policy\local polices\user right assignment

Now if you are trying to  move computers which are already exists between specific OUs, then please do the replication 1st and ensure that delegated rights are replicated to all Domain controllers in domain and then check if its working

Mahesh.
0
 

Author Comment

by:RankenIS
ID: 39956178
I am trying to move computers from the default computer OU into another OU. I have applied various permissions to the root of the domain and verified they are inherited down to both OU's I am working in. The user has permissions to add workstations to the domain though group policy.

Here are the two permission scenarios I have tried:

1. Applied on the domain root
          Apply to: Descendant Computer Objects
                    Create all child objects
                    Delete all child objects

2. Applied on the domain root
          Apply to: This object and all descendant objects
                    Create computers objects
                    Delete computers objects

The user can manually create and delete computer objects in the two OU's. The weird thing is, he can't move the computer object he created between them.
0
 

Accepted Solution

by:
RankenIS earned 0 total points
ID: 39956283
0
 

Author Closing Comment

by:RankenIS
ID: 39966124
Found the solution in another thread.
0

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now