Creating a AD service account for Computer Object Management - Join / Remove / Rejoin to Domain, Move between OUs, Disable Computer Accounts.
Hello Experts,
I am looking for some assistance on how to create a AD service account that can manage Computer objects. The account needs to join/remove/rejoin computers to the domain. It also needs to be able to disable computer objects and move them between OUs.
I have been able to setup the account to join/remove/rejoin to the domain, and able to disable computer accounts. The real issue I cannot get past is not being able to move the computer objects between OUs. I receive an error: "Windows cannot move object <machinename> because: Access is denied.
Any guidance would be greatly appreciated. I have not been able to find documentation that has worked for this issue.
Thank you,
Anthony
I am looking for some assistance on how to create a AD service account that can manage Computer objects. The account needs to join/remove/rejoin computers to the domain. It also needs to be able to disable computer objects and move them between OUs.
I have been able to setup the account to join/remove/rejoin to the domain, and able to disable computer accounts. The real issue I cannot get past is not being able to move the computer objects between OUs. I receive an error: "Windows cannot move object <machinename> because: Access is denied.
Any guidance would be greatly appreciated. I have not been able to find documentation that has worked for this issue.
Thank you,
Anthony
ASKER
Thanks Mahesh.
Just tried that and it did not work..
I have not been able to get anything to work for this.
Just tried that and it did not work..
I have not been able to get anything to work for this.
one more thing, on default "Computers" container you need to provide "delete" permission to required service account and make sure that account properties \object tab has cleared "accidental deletion checkbox"
ASKER
I am testing this on a OU that is outside of the Default "Computers" container. The root OU TEST Computer Accounts is where the source computer object resides. I am trying to move the computer object from the root OU to a sub OU under TEST Computer Accounts.
I can create computer objects and delete computer objects i created, but I am not able to move computer objects that were not created by that service account.
Still get the same error. Access is denied.
I can create computer objects and delete computer objects i created, but I am not able to move computer objects that were not created by that service account.
Still get the same error. Access is denied.
Some automation options for computer and user objects in Active Directory
https://www.experts-exchange.com/articles/30891/Automated-object-placement-using-AutoAD.html
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
https://www.experts-exchange.com/articles/30891/Automated-object-placement-using-AutoAD.html
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
Hi,
This issue is all about two things:
1) Denying login on the account - it has NO need ever to login
2) editing the properties to add, delete, change computer objects in AD.
For a full explanation and walkthrough see this link:
https://jonconwayuk.wordpress.com/2011/10/20/minimum-permissions-required-for-account-to-join-workstations-to-the-domain-during-deployment/
Mike
This issue is all about two things:
1) Denying login on the account - it has NO need ever to login
2) editing the properties to add, delete, change computer objects in AD.
For a full explanation and walkthrough see this link:
https://jonconwayuk.wordpress.com/2011/10/20/minimum-permissions-required-for-account-to-join-workstations-to-the-domain-during-deployment/
Mike
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
navigate to source OU properties\security page and grant required service account delete permissions
without delete permissions you cannot move accounts between OUs
I believe you have already granted create object permissions (users and computers) on target OU