Access Denied when moving computers in AD from one OU to another

I have a problem with my Active Directory and moving objects from one OU to another.  This was resolved by someone in our organisation a while ago by putting the members of staff in the account operators group which gave them access to almost everything in AD.

I have the Computers Container that has a sub OU in it and have a separate OU called Machines that have sub OU's called Desktop and Laptops.  These are the permissions that I have given a new group called "Computer Admins":-

•      This object and all descendants
       •      Create Computer objects
       •      Delete Computer objects
•      Descendant Computer objects
       •      Read all properties
       •      Write all properties
       •      Change password
       •      Reset password
       •      Validated write to DNS host name
       •      Validated write to service principal

If a machine is joined to the domain and a member of the  "Computer Admins" group moves the Computer from the computers container to the root of the "Machines" OU it comes up with access denied but if a domain admin first moves the computer into the sub OU in containers and then the member of "Computer Admins" moves the computer to one of the sub OU's of "Machines" it works fine.

If the member of  "Computer Admins" also manually creates the Computer account in AD they have no problem but they can not move a computer someone else has created.

I hope some one can help
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Access Denied is almost every time is related to incorrect permissions. Did you set these permissions manually? I would start over and use the Delegate of Control Wizard.

Within AD you can be very granular when it comes to permissions. So that is why you need to use DofCW to set permissions properly.

Simply creating computer objects only allows the user to modify there own. This is why when a user create a computer object they are the only ones that can move it. No one else from the Computer Admins can do this.

Delegate of Control Wizard


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WNottsCAuthor Commented:
I did I am just not entirely sure what permissions I need to set in order to let the "Computer Admins" group
Create, Delete, Move, Edit all computer accounts in a given OU.  Below I have reposted the permissions that this group has in the two OU's in question.

Are these the correct permissions?

This object and all descendants
        •      Create Computer objects
        •      Delete Computer objects
•      Descendant Computer objects
        •      Read all properties
        •      Write all properties
        •      Change password
        •      Reset password
        •      Validated write to DNS host name
        •      Validated write to service principal
Will SzymkowskiSenior Solution ArchitectCommented:
If you want your "computer admins" to have full access to do what they want over the computers in a particular OU then you need to set Full Permissions for Descendant Computer Objects. This will then allow them to modify the computers that they add and that other people have added.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.