I have a problem with my Active Directory and moving objects from one OU to another. This was resolved by someone in our organisation a while ago by putting the members of staff in the account operators group which gave them access to almost everything in AD.
I have the Computers Container that has a sub OU in it and have a separate OU called Machines that have sub OU's called Desktop and Laptops. These are the permissions that I have given a new group called "Computer Admins":-
• This object and all descendants
• Create Computer objects
• Delete Computer objects
• Descendant Computer objects
• Read all properties
• Write all properties
• Change password
• Reset password
• Validated write to DNS host name
• Validated write to service principal
If a machine is joined to the domain and a member of the "Computer Admins" group moves the Computer from the computers container to the root of the "Machines" OU it comes up with access denied but if a domain admin first moves the computer into the sub OU in containers and then the member of "Computer Admins" moves the computer to one of the sub OU's of "Machines" it works fine.
If the member of "Computer Admins" also manually creates the Computer account in AD they have no problem but they can not move a computer someone else has created.
I hope some one can help