create computer object

[Guest]

I have given our helpdesk group create and delete computer object over the
entire domain.

However, they are still not able to drag a computer out of the built in
computer OU to one of the OU's that we have created for policies.

Is there an additional permission that I need to give?

Thanks in advance for any help,
Hutch

 

[Guest]

You will need to delegate those users administration to that OU.
They will then be able to drag/move computers into the OU

 

[Guest]

If by saying delegate administration of that OU, if you mean to just give
them create and delete computer objects of the OU the objects are being moved
to, they already have that.

Or do I need to grant them permissions above that?

Thanks,
Hutch

 

[Guest]

Hutch,

You are on the right track.

In order to allow moves between OU's the user you are delegating will also
need delete object permissions on the built on computer OU.

So the user needs at least delete permission (althoug it is not actually
deleting) on the built-in computer ou and create permission on the OU the
user needs to move the computer to.

You may also need to give the write-all-properties permission to the
delegated user so that the object's ou location etc can be updated.

Hope this helps.

 

[Joe Richards [MVP]]

http://blog.joeware.net/2005/07/17/48/