create computer object

[hutch]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have given our helpdesk group create and delete computer object over the
entire domain.

However, they are still not able to drag a computer out of the built in
computer OU to one of the OU's that we have created for policies.

Is there an additional permission that I need to give?

Thanks in advance for any help,
Hutch

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You will need to delegate those users administration to that OU.
They will then be able to drag/move computers into the OU

"Hutch" wrote:

> I have given our helpdesk group create and delete computer object over the
> entire domain.
>
> However, they are still not able to drag a computer out of the built in
> computer OU to one of the OU's that we have created for policies.
>
> Is there an additional permission that I need to give?
>
> Thanks in advance for any help,
> Hutch

 

[hutch]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If by saying delegate administration of that OU, if you mean to just give
them create and delete computer objects of the OU the objects are being moved
to, they already have that.

Or do I need to grant them permissions above that?

Thanks,
Hutch

"JSilva" wrote:

> You will need to delegate those users administration to that OU.
> They will then be able to drag/move computers into the OU
>
> "Hutch" wrote:
>
> > I have given our helpdesk group create and delete computer object over the
> > entire domain.
> >
> > However, they are still not able to drag a computer out of the built in
> > computer OU to one of the OU's that we have created for policies.
> >
> > Is there an additional permission that I need to give?
> >
> > Thanks in advance for any help,
> > Hutch

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hutch,

You are on the right track.

In order to allow moves between OU's the user you are delegating will also
need delete object permissions on the built on computer OU.

So the user needs at least delete permission (althoug it is not actually
deleting) on the built-in computer ou and create permission on the OU the
user needs to move the computer to.

You may also need to give the write-all-properties permission to the
delegated user so that the object's ou location etc can be updated.

Hope this helps.


"Hutch" wrote:

> If by saying delegate administration of that OU, if you mean to just give
> them create and delete computer objects of the OU the objects are being moved
> to, they already have that.
>
> Or do I need to grant them permissions above that?
>
> Thanks,
> Hutch
>
> "JSilva" wrote:
>
> > You will need to delegate those users administration to that OU.
> > They will then be able to drag/move computers into the OU
> >
> > "Hutch" wrote:
> >
> > > I have given our helpdesk group create and delete computer object over the
> > > entire domain.
> > >
> > > However, they are still not able to drag a computer out of the built in
> > > computer OU to one of the OU's that we have created for policies.
> > >
> > > Is there an additional permission that I need to give?
> > >
> > > Thanks in advance for any help,
> > > Hutch

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

http://blog.joeware.net/2005/07/17/48/

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Hutch wrote:
> I have given our helpdesk group create and delete computer object over the
> entire domain.
>
> However, they are still not able to drag a computer out of the built in
> computer OU to one of the OU's that we have created for policies.
>
> Is there an additional permission that I need to give?
>
> Thanks in advance for any help,
> Hutch