Re: Delegate user to add/remove computers to specified OU

From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Sat, 26 Jan 2008 21:33:40 +0100

do you want to delegate the movement of computer objects between OUs? if yes then the following is at least needed:

to be able to move a computer object from "<OU SOURCE>" to "<OU TARGET>"

DACL on “<OU SOURCE>” OU for <AD group> --> Allow “Delete Computers Objects” applying to “This object and all child objects” & Allow “read(RP)/write(WP) name” applying to “computer objects” & Allow “read(RP)/write(WP) Name” applying to “computer objects”

DACL on “<OU TARGET>” OU for <AD group> --> Allow “Create Computer Objects” applying to “This object and all child objects”

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"GUSN2005" <GUSN2005@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F0C83B45-D0EC-4DDD-85AE-1E9EE836F75A@xxxxxxxxxxxxxxxx

I have some computer OU in the windows 2003 domain.

Is there a way to Delegate a user/group to add/remove computers to
specified computer OU in AD?

Prev by Date: Re: AD query filter
Next by Date: Re: prevent object from Replication
Previous by thread: Re: Delegate user to add/remove computers to specified OU
Next by thread: prevent object from Replication
Index(es):
- Date
- Thread

Relevant Pages

Re: AD Delegates
... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... I granted the user create computer objects, ... disable/delete any computer object they create (but cannot disable/delete ...
(microsoft.public.windows.server.active_directory)
Re: Cleanup Old Computer Objects
... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... How do I search for Computer objects which have not been active in X days? ...
(microsoft.public.windows.server.active_directory)
Re: delegate control to computer management to everywhere except oneOU
... TEST THIS FIRST on an OU with one test computer, if it works as expected, delegate control at domain level and on the OU that you like to exclude remove the account/group form the security tab. ... Click Only the following objects in the folder, and then from the list, click to select the following check boxes: Computer objects ... click to select the following check boxes:. ...
(microsoft.public.windows.server.active_directory)
Re: Create a partial admin account
... The users can now manually create computer objects and then they can specify who can do the actual join process. ... You can not delegate the ability to do this if they just use the Join Domain Wizards. ... Is there anyway I can create an account with partial admin rights that would allow them to join computers to domain without giving them full admin privleges to the domain or is it an all or nothing situation? ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Move of Computers Between OUs
... I should have added to my previous post that I've avoided using the Delegate Control Wizard for several reasons: ... To change this so that it is inherited downwards through the OU hierarchy, you need to change this to "This object and all child objects", or to child objects of a particular type. ... >> Computer Objects, Full Control ... >>>I am trying to delegate permissions to a group for moving existing ...
(microsoft.public.windows.server.active_directory)