Re: Delegation Wizard

From: David Everett [MSFT] (deverett_at_online.microsoft.com)
Date: 08/31/04 

Date: Tue, 31 Aug 2004 13:40:37 -0500

Hi Rob,

 1. From the Active Directory Users and Computers snap-in, click Advanced
Features on the View menu so that the Security tab is exposed when you click
Properties.

 2. Right-click the Computers container, or OU, and then click Properties.

 3. On the Security tab, click Advanced.

 4. Add the group that you want to allow re-adding of workstations with the
same name.

 5. Make sure the "This object and all child objects" option is displayed in
the "Apply onto" box.

 6. From the Permissions box, click to select the Allow check-box next to
the Create Computer Objects and Delete Computer Objects ACEs, and then click
OK.

 7. For the User to re-install an already existing system they will require
"Read all Properties," "Write all Properties," "Reset Password" and "Change
Password" rights for computer objects. To configure this, right-click the
OU, select Properties then the Security tab. Next, click the Advanced
button, highlight the user account and click Edit/View and select the "Apply
Onto" drop-down. Finally, select Computer Objects and grant Allow for these
rights:
 a. Read all Properties
 b. Write all Properties
 c. Change Password
 d. Reset Password

Keep in mind this would allow these users to also delete computer accounts
in the computers container. 

-- 
David Everett
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Rob" <rsharp@livebridge.com> wrote in message
news:ei$pnOEjEHA.3148@TK2MSFTNGP10.phx.gbl...
> Does anyone know the least amount of rights that I need to give a user
> control over computer objects within an OU. Some of my support users
> re-image computers on the domain and get an "access denied" error when
they
> try to name the newly imaged pc to the same name of the old computer
object.
> I know this is because they don't have permissions for the object in the
> container which it resides but I only want to delegate the permissions
> necessary for their account to rename the new build without error. I've
used
> the delegation wizard to create my own custom task which gives them rights
> for computer objects and Create/delete permissions for computer objects
> within the container. Should I give them FULL CONTROL under the General
> Permissions check box? What permissions do they need in order to avoid the
> access denied error?
>
> Just wondering if anyone knows a quick answer to this.
>
> Thanks
> Rob
>
>