Rights needed to move computer objects between OUs

Discussion in 'Active Directory' started by Spin, Sep 13, 2008.

  1. Spin

    Spin Guest

    Gurus,

    In order to move computer objects out of the default Computers container and
    into various OUs, or to move computer objects between OUs, what kind of
    rights do you need? I need to be able to delegate this task to my helpdesk
    staff.
     
    Spin, Sep 13, 2008
    #1
    1. Advertisements

  2. Hello Spin,

    They need the right to "create" the object in the destination container/OU
    and "delete" the object in the source container/OU.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Sep 13, 2008
    #2
    1. Advertisements

  3. this is quite a pain to delegate....

    what you could do:
    * assign delete/create for computer accounts in the computers container to
    all computer (accounts) admins
    * assign delete/create for computer accounts in the OU managed by some admin
    group to that admin group only

    the users container is in the case of move computer account between OUs the
    intermediate location where on e admin moves the account into and the other
    moves it out there to his OU

    if you want to have a GPO applied to those computers that are initially
    joined or being moved between OUs, create another intermediate OU and
    redirect the default computers container to that OU. Link the GPO to that OU

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
     
    Jorge de Almeida Pinto [MVP - DS], Sep 13, 2008
    #3
  4. Hello,

    You can also directly join to the good ou:
    NETDOM JOIN machine /Domain:domain [/OU:eek:u path] [/UserD:user]
    [/PasswordD:[password | *]]
    [UserO:user] [/PasswordO:[password | *]]
    [/REBoot[:Time in seconds]]

    /OU Organizational unit under which to create the machine account.
    This must be a fully qualified RFC 1779 DN for the OU.
    If not specified, the account will be created under the default
    organization unit for machine objects for that domain.
     
    Mathieu CHATEAU, Sep 14, 2008
    #4
  5. Else, as explained by Meinolf Weber here
    http://forums.techarena.in/active-directory/1037696.htm
    They need the right to "create" the object in the destination container/OU
    and "delete" the object in the source container/OU.

    and in the same thread by Jorge de Almeida Pinto :

    what you could do:
    * assign delete/create for computer accounts in the computers container to
    all computer (accounts) admins
    * assign delete/create for computer accounts in the OU managed by some admin
    group to that admin group only

    the users container is in the case of move computer account between OUs the
    intermediate location where on e admin moves the account into and the other
    moves it out there to his OU

    if you want to have a GPO applied to those computers that are initially
    joined or being moved between OUs, create another intermediate OU and
    redirect the default computers container to that OU. Link the GPO to that OU
     
    Mathieu CHATEAU, Sep 14, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.