Delegate Move of Computers Between OUs

Discussion:

(too old to reply)

Baboon

2008-03-14 16:54:01 UTC

I am trying to delegate permissions to a group for moving existing computer
objects between several OUs. KB932455 is probably one article among many
that tells how to delegate permissions for adding computers to an OU. These
are the settings from the article:
************************************************************
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from the list,
click to select the following check boxes:
• Computer objects
• Create selected objects in this folder
• Delete selected objects in this folder
8. Click Next.
9. In the Permissions list, click to select the following check boxes:
• Reset Password
• Validated write to DNS host name
• Read and write Account Restrictions
• Validated write to service principal name
************************************************************
After following those instruction, users in that group can create and delete
new computer objects in the respective OUs but cannot move existing computer
objects or ones they created within those same OUs.

Can someone tell me which permissions I need to add for users to move
computers between these OUs?

Thanks.

Anthony [MVP]

2008-03-14 17:24:54 UTC

Permalink

Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Post by Baboon
I am trying to delegate permissions to a group for moving existing computer
objects between several OUs. KB932455 is probably one article among many
that tells how to delegate permissions for adding computers to an OU.
These
************************************************************
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from the list,
. Computer objects
. Create selected objects in this folder
. Delete selected objects in this folder
8. Click Next.
. Reset Password
. Validated write to DNS host name
. Read and write Account Restrictions
. Validated write to service principal name
************************************************************
After following those instruction, users in that group can create and delete
new computer objects in the respective OUs but cannot move existing computer
objects or ones they created within those same OUs.
Can someone tell me which permissions I need to add for users to move
computers between these OUs?
Thanks.

Baboon

2008-03-14 18:01:01 UTC

Permalink

Yes, actually that is perfectly acceptable. I should have just done that.
And thanks for the ultra quick response.

Post by Anthony [MVP]
Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Anthony [MVP]

2008-03-14 19:20:48 UTC

Permalink

That's good.
The Delegate Control works fine in most cases, unless you want to refine
what people can and can't do a little more,
Anthony
http://www.airdesk.co.uk

Post by Baboon
Yes, actually that is perfectly acceptable. I should have just done that.
And thanks for the ultra quick response.

Post by Anthony [MVP]
Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Baboon

2008-03-14 21:44:00 UTC

Permalink

I used to go right to the ACL to edit it, but I found that the permissions
didn't propagate to child OUs. I just looked again and didn't see anyway to
do this, at least not in ADUC.

Post by Anthony [MVP]
That's good.
The Delegate Control works fine in most cases, unless you want to refine
what people can and can't do a little more,
Anthony
http://www.airdesk.co.uk

Post by Baboon
Yes, actually that is perfectly acceptable. I should have just done that.
And thanks for the ultra quick response.

Post by Anthony [MVP]
Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Bruce Sanderson

2008-03-15 20:45:29 UTC

Permalink

The default is that added permissions are applied to "This object only". To
change this so that it is inherited downwards through the OU hierarchy, you
need to change this to "This object and all child objects", or to child
objects of a particular type.

To do this,
1. on the Security tab of the OU's Properties, click Advanced
2. select the permissions you want inherited downward; click Edit
3. change the setting in the "Apply onto: drop down list box to "This object
and all child objects", or the child object type of your choice
--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

Post by Baboon
I used to go right to the ACL to edit it, but I found that the permissions
didn't propagate to child OUs. I just looked again and didn't see anyway to
do this, at least not in ADUC.

Post by Anthony [MVP]
That's good.
The Delegate Control works fine in most cases, unless you want to refine
what people can and can't do a little more,
Anthony
http://www.airdesk.co.uk

Post by Baboon
Yes, actually that is perfectly acceptable. I should have just done that.
And thanks for the ultra quick response.

Post by Anthony [MVP]
Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Post by Baboon
I am trying to delegate permissions to a group for moving existing computer
objects between several OUs. KB932455 is probably one article among many
that tells how to delegate permissions for adding computers to an OU.
These
************************************************************
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from the list,
. Computer objects
. Create selected objects in this folder
. Delete selected objects in this folder
8. Click Next.
. Reset Password
. Validated write to DNS host name
. Read and write Account Restrictions
. Validated write to service principal name
************************************************************
After following those instruction, users in that group can create
and
delete
new computer objects in the respective OUs but cannot move existing computer
objects or ones they created within those same OUs.
Can someone tell me which permissions I need to add for users to move
computers between these OUs?
Thanks.

Bruce Sanderson

2008-03-15 20:56:34 UTC

Permalink

I should have added to my previous post that I've avoided using the Delegate
Control Wizard for several reasons:

1. it doesn't tell you exactly what it is doing
2. you can't view existing delegations
3. you can't modify or remove existing delegations
4. it provides a limited set of options which, in lots of situations are not
what is desired or required

Consequently, you have to use the object's Security tab anyway to verify it
did what you want or to modify what it later.
--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

Post by Bruce Sanderson
The default is that added permissions are applied to "This object only".
To change this so that it is inherited downwards through the OU hierarchy,
you need to change this to "This object and all child objects", or to
child objects of a particular type.
To do this,
1. on the Security tab of the OU's Properties, click Advanced
2. select the permissions you want inherited downward; click Edit
3. change the setting in the "Apply onto: drop down list box to "This
object and all child objects", or the child object type of your choice
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.

Post by Baboon
I used to go right to the ACL to edit it, but I found that the permissions
didn't propagate to child OUs. I just looked again and didn't see anyway to
do this, at least not in ADUC.

Post by Anthony [MVP]
That's good.
The Delegate Control works fine in most cases, unless you want to refine
what people can and can't do a little more,
Anthony
http://www.airdesk.co.uk

Post by Baboon
Yes, actually that is perfectly acceptable. I should have just done that.
And thanks for the ultra quick response.

Post by Anthony [MVP]
Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Post by Baboon
I am trying to delegate permissions to a group for moving existing computer
objects between several OUs. KB932455 is probably one article
among
many
that tells how to delegate permissions for adding computers to an OU.
These
************************************************************
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from
the
list,
. Computer objects
. Create selected objects in this folder
. Delete selected objects in this folder
8. Click Next.
. Reset Password
. Validated write to DNS host name
. Read and write Account Restrictions
. Validated write to service principal name
************************************************************
After following those instruction, users in that group can create
and
delete
new computer objects in the respective OUs but cannot move existing computer
objects or ones they created within those same OUs.
Can someone tell me which permissions I need to add for users to move
computers between these OUs?
Thanks.

Baboon

2008-03-16 17:52:00 UTC

Permalink

I agree and would rather use the ACL editor. I especially don't like the
fact that I can't see the existing permissions using the Wizard.

For some reason the Apply Onto field is grayed out, the way I remember it.
I'll look into that when I am on site.

Thanks.

Post by Bruce Sanderson
I should have added to my previous post that I've avoided using the Delegate
1. it doesn't tell you exactly what it is doing
2. you can't view existing delegations
3. you can't modify or remove existing delegations
4. it provides a limited set of options which, in lots of situations are not
what is desired or required
Consequently, you have to use the object's Security tab anyway to verify it
did what you want or to modify what it later.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.

Post by Baboon
I used to go right to the ACL to edit it, but I found that the permissions
didn't propagate to child OUs. I just looked again and didn't see anyway to
do this, at least not in ADUC.

Post by Anthony [MVP]
That's good.
The Delegate Control works fine in most cases, unless you want to refine
what people can and can't do a little more,
Anthony
http://www.airdesk.co.uk

Post by Baboon
Yes, actually that is perfectly acceptable. I should have just done that.
And thanks for the ultra quick response.

Post by Anthony [MVP]
Computer Objects, Full Control
Anthony
http://www.airdesk.co.uk

Post by Baboon
I am trying to delegate permissions to a group for moving existing computer
objects between several OUs. KB932455 is probably one article
among
many
that tells how to delegate permissions for adding computers to an OU.
These
************************************************************
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from
the
list,
. Computer objects
. Create selected objects in this folder
. Delete selected objects in this folder
8. Click Next.
. Reset Password
. Validated write to DNS host name
. Read and write Account Restrictions
. Validated write to service principal name
************************************************************
After following those instruction, users in that group can create
and
delete
new computer objects in the respective OUs but cannot move existing
computer
objects or ones they created within those same OUs.
Can someone tell me which permissions I need to add for users to move
computers between these OUs?
Thanks.

Jorge de Almeida Pinto [MVP - DS]

2008-03-16 22:28:31 UTC

Permalink

that is painfull to delegate! you will see why

but here is the answer....

to be able to move a computer object from "<OU SOURCE>" to "<OU TARGET>"

DACL on “<OU SOURCE>” OU for <AD group> --> Allow “Delete Computers Objects”
applying to “This object and all child objects” & Allow “read(RP)/write(WP)
name” applying to “computer objects” & Allow “read(RP)/write(WP) Name”
applying to “computer objects”

DACL on “<OU TARGET>” OU for <AD group> --> Allow “Create Computer Objects”
applying to “This object and all child objects”
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Post by Baboon
I am trying to delegate permissions to a group for moving existing computer
objects between several OUs. KB932455 is probably one article among many
that tells how to delegate permissions for adding computers to an OU.
These
************************************************************
6. In the Tasks to Delegate page, click Create a custom task to delegate,
and then click Next.
7. Click Only the following objects in the folder, and then from the list,
• Computer objects
• Create selected objects in this folder
• Delete selected objects in this folder
8. Click Next.
• Reset Password
• Validated write to DNS host name
• Read and write Account Restrictions
• Validated write to service principal name
************************************************************
After following those instruction, users in that group can create and delete
new computer objects in the respective OUs but cannot move existing computer
objects or ones they created within those same OUs.
Can someone tell me which permissions I need to add for users to move
computers between these OUs?
Thanks.

Miles Li [MSFT]

2008-03-17 10:02:59 UTC

Permalink

Hello,

Thanks for your posts as well as Jorge's sharing.

To grant the user a minimum permission to move a computer account from a OU
to another, you need to perform a manually modification on the ACL of both
OUs.

A MOVE process includes:

1. Read the computer account object in the source OU.
2. Create the computer account in the destination OU.
3. Delete the original computer account in the source OU.

The ACL permissions that should be added:

1. On the source OU
- Allow the group 'Delete Computer Objects' permission applied onto 'This
Object and all child objects'.
- Allow the group 'Read All properties' and 'Write All properties'
permissions applied onto 'Computer objects'.

2. On the destination OU
- Allow the group 'Create Computer objects' permission applied onto 'This
Object and all child objects'.

Hope this helps.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Baboon

2008-03-19 01:34:01 UTC

Permalink

Thanks much to everyone.

If I am feeling ambitious I may use the more granular approach. For now,
giving full control of the computer objects and allowing adding and deleting
computer objects on all the applicable OUs is acceptible and I find it works.

Because these machines will be moved to permanent OUs when fully deployed,
the contractors will have full control of the computer objects only when
first deployed, which shouldn't be a problem. (They will not have access to
the permanent OUs, someone else will take care of that.)

Post by Miles Li [MSFT]
Hello,
Thanks for your posts as well as Jorge's sharing.
To grant the user a minimum permission to move a computer account from a OU
to another, you need to perform a manually modification on the ACL of both
OUs.
1. Read the computer account object in the source OU.
2. Create the computer account in the destination OU.
3. Delete the original computer account in the source OU.
1. On the source OU
- Allow the group 'Delete Computer Objects' permission applied onto 'This
Object and all child objects'.
- Allow the group 'Read All properties' and 'Write All properties'
permissions applied onto 'Computer objects'.
2. On the destination OU
- Allow the group 'Create Computer objects' permission applied onto 'This
Object and all child objects'.
Hope this helps.
Sincerely,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Continue reading on narkive:

Search results for 'Delegate Move of Computers Between OUs' (Questions and Answers)

replies

why do i feel like i'm cheating? am i?

started 2007-06-04 05:23:49 UTC

marriage & divorce

replies

what is DNS?what is Active Directory?what is patch file?

started 2006-10-10 03:15:22 UTC

computer networking

replies

how to make a drive to denied the access?