Delegation: Moving User between OUs

Discussion in 'Active Directory' started by Chris, Nov 10, 2004.

  1. Chris

    Chris Guest

    Hi NG

    I have a domain with a few ous each with a different grouppolicy. Now I want
    to delegate the right to move users between these ous to the support team. I
    don't want to give them rights to modify oser userdetails.

    What I've done:
    Added the group with the rights to create and delete users.
    Added the group to write / read "Public Information".

    Like that it worked but the group could change userdetails. So I had to
    remove write / read Public Information.

    The question is, what is the minimum rights that I need to give the group to
    move users between ous.

    Thanks for your help
    Chris, Nov 10, 2004
    1. Advertisements

  2. This is an FAQ. The answer can be found in the AD delegation whitepaper,
    available for download at MS downloads site.

    From one of my earlier posts here:

    In order to move an object in DS, you need the following three permissions:

    1) DELETE_CHILD on the source container or DELETE on the object being moved
    2) WRITE_PROP on the object being moved for two properties: RDN (name) and
    CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
    org units).
    3) CREATE_CHILD on the destination container.

    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    Dmitri Gavrilov [MSFT], Nov 10, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.