Computer Objects

[Guest]

Hello
I am trying to find the correct permission to delegate the authority to MOVE
computer objects within ADUC. It is obvious that the permission to create and
delete computer objects is available per OU, but I would also like delegate
the authority to move computer objects within AD without giving too many
rights.

Additionally, is it possible to change the default location for created
computer accounts within AD? Can this change be made within AD?

Thank you very much for your assistance,

Mark Clark

 

[Ryan Hanisco]

Mark,

With the permission to move comes the question, "To where?" This is not
something that you can really do without thoroughly defining where they can
move them and what permissions you consider "too many." Once you have this
well defined, the configuration will be a lot clearer -- I am thinking the
majority of your work here will be giving the appropriate thought as to what
and where you really want to assign permissions.

For the redirection of the default containers to OUs, please see:
http://www.microsoft.com/resources/...003/all/deployguide/en-us/dssbf_upwn_pyog.asp

 

[Joe Richards [MVP]]

In a nutshell, if you want to move items in the DS from one container to
another, you need three permissions:
1) DELETE on the object being moved or DELETE_CHILD on the source container
2) WRITE_PROP on the object being moved for RDN and CN.
3) CREATE_CHILD on the target container