Re: Delegate Move of Computers Between OUs

I should have added to my previous post that I've avoided using the Delegate Control Wizard for several reasons:

1. it doesn't tell you exactly what it is doing
2. you can't view existing delegations
3. you can't modify or remove existing delegations
4. it provides a limited set of options which, in lots of situations are not what is desired or required

Consequently, you have to use the object's Security tab anyway to verify it did what you want or to modify what it later.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message news:OWqBC2thIHA.2084@xxxxxxxxxxxxxxxxxxxxxxx
The default is that added permissions are applied to "This object only". To change this so that it is inherited downwards through the OU hierarchy, you need to change this to "This object and all child objects", or to child objects of a particular type.

To do this,
1. on the Security tab of the OU's Properties, click Advanced
2. select the permissions you want inherited downward; click Edit
3. change the setting in the "Apply onto: drop down list box to "This object and all child objects", or the child object type of your choice


--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Baboon" <baboon@xxxxxxxxxxxxxx> wrote in message news:85A0CA7C-83FF-4BD2-99CE-A386E926B8B1@xxxxxxxxxxxxxxxx
I used to go right to the ACL to edit it, but I found that the permissions
didn't propagate to child OUs. I just looked again and didn't see anyway to
do this, at least not in ADUC.

"Anthony [MVP]" wrote:

That's good.
The Delegate Control works fine in most cases, unless you want to refine
what people can and can't do a little more,
Anthony
http://www.airdesk.co.uk


"Baboon" <baboon@xxxxxxxxxxxxxx> wrote in message
news:C8A044D1-AC8B-40D6-9C02-C927F35D8678@xxxxxxxxxxxxxxxx
> Yes, actually that is perfectly acceptable. I should have just done > that.
> And thanks for the ultra quick response.
>
> "Anthony [MVP]" wrote:
>
>> Computer Objects, Full Control
>> Anthony
>> http://www.airdesk.co.uk
>>
>>
>> "Baboon" <baboon@xxxxxxxxxxxxxx> wrote in message
>> news:62CF746A-CC42-4D1D-8B59-F937A240175E@xxxxxxxxxxxxxxxx
>> >I am trying to delegate permissions to a group for moving existing
>> >computer
>> > objects between several OUs. KB932455 is probably one article >> > among
>> > many
>> > that tells how to delegate permissions for adding computers to an >> > OU.
>> > These
>> > are the settings from the article:
>> > ************************************************************
>> > 6. In the Tasks to Delegate page, click Create a custom task to
>> > delegate,
>> > and then click Next.
>> > 7. Click Only the following objects in the folder, and then from >> > the
>> > list,
>> > click to select the following check boxes:
>> > . Computer objects
>> > . Create selected objects in this folder
>> > . Delete selected objects in this folder
>> > 8. Click Next.
>> > 9. In the Permissions list, click to select the following check >> > boxes:
>> > . Reset Password
>> > . Validated write to DNS host name
>> > . Read and write Account Restrictions
>> > . Validated write to service principal name
>> > ************************************************************
>> > After following those instruction, users in that group can create >> > and
>> > delete
>> > new computer objects in the respective OUs but cannot move existing
>> > computer
>> > objects or ones they created within those same OUs.
>> >
>> > Can someone tell me which permissions I need to add for users to >> > move
>> > computers between these OUs?
>> >
>> > Thanks.
>> >
>> >
>>
>>
>>





.

Relevant Pages

  • Re: OU Security Delegation
    ... (Repeated from the thread "Delegate Move of Computers Between OUs"). ... The default is that added permissions are applied to "This object only". ... need to change this to "This object and all child objects", ... the computer gets the settings from all the GPOs that apply to the target OU during the restart required to join the computers to the domain, so it has the desired settings immediately. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Move of Computers Between OUs
    ... fact that I can't see the existing permissions using the Wizard. ... you need to change this to "This object and all child objects", ... The Delegate Control works fine in most cases, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Help with Delegation Wizard
    ... There is no Reset or Change Password in the available permissions listed ... "Child Objects Only" and that didn't do it either. ... Funny thing is if I create another OU in the Delegated OU, the permissions ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Move of Computers Between OUs
    ... The default is that added permissions are applied to "This object only". ... To change this so that it is inherited downwards through the OU hierarchy, you need to change this to "This object and all child objects", or to child objects of a particular type. ... The Delegate Control works fine in most cases, ... >> Computer Objects, Full Control ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation of computers Location property
    ... I selected the group I wanted to give permissions ... and selected to only delegate tasks relating to computer objects. ... there is no specific listing to delegate write permission for the ... I know there are some of these delegation categories that actually grant ...
    (microsoft.public.windows.server.active_directory)
Loading