Computer Objects

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello
I am trying to find the correct permission to delegate the authority to MOVE
computer objects within ADUC. It is obvious that the permission to create and
delete computer objects is available per OU, but I would also like delegate
the authority to move computer objects within AD without giving too many
rights.

Additionally, is it possible to change the default location for created
computer accounts within AD? Can this change be made within AD?

Thank you very much for your assistance,

Mark Clark

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Mark,

With the permission to move comes the question, "To where?" This is not
something that you can really do without thoroughly defining where they can
move them and what permissions you consider "too many." Once you have this
well defined, the configuration will be a lot clearer -- I am thinking the
majority of your work here will be giving the appropriate thought as to what
and where you really want to assign permissions.

For the redirection of the default containers to OUs, please see:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbf_upwn_pyog.asp

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Mark Clark" <MarkClark@discussions.microsoft.com> wrote in message
news:714B5747-1EEB-4385-8672-8BA55776D5CC@microsoft.com...
> Hello
> I am trying to find the correct permission to delegate the authority to
MOVE
> computer objects within ADUC. It is obvious that the permission to create
and
> delete computer objects is available per OU, but I would also like
delegate
> the authority to move computer objects within AD without giving too many
> rights.
>
> Additionally, is it possible to change the default location for created
> computer accounts within AD? Can this change be made within AD?
>
> Thank you very much for your assistance,
>
> Mark Clark

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In a nutshell, if you want to move items in the DS from one container to
another, you need three permissions:
1) DELETE on the object being moved or DELETE_CHILD on the source container
2) WRITE_PROP on the object being moved for RDN and CN.
3) CREATE_CHILD on the target container

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Mark Clark wrote:
> Hello
> I am trying to find the correct permission to delegate the authority to MOVE
> computer objects within ADUC. It is obvious that the permission to create and
> delete computer objects is available per OU, but I would also like delegate
> the authority to move computer objects within AD without giving too many
> rights.
>
> Additionally, is it possible to change the default location for created
> computer accounts within AD? Can this change be made within AD?
>
> Thank you very much for your assistance,
>
> Mark Clark