Special Privileges about computers and users objects in Acti
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
Special Privileges about computers and users objects in Acti

 
Post new topic   Reply to topic    Windows Server Forum Index -> Active Directory
Author Message
Olric El Mundo Spain
Guest
Posted: Wed Jan 19, 2005 12:23 am    Post subject: Special Privileges about computers and users objects in Acti Reply with quote
Good Afternoon,

We're looking for special privileges in active directory that ONLY PERMIT
MOVING computers objects or users objects in a organization within OU or
within subOUs. We were looking for creating a special politic dedicated only
to people who have the responsability to move machines from dpt into another
dpt, and in that case they must change the computer and the user account from
the previous Organizational Unit to the new one but they CANNOT DO another
thing about this computer or user.

If you know the best way to put those privileges on, please answwer in this
newsgroup or send mail to olric.guilloux@elmundo.es or
angel.gonzalez@elmundo.es

Thanks a lot for your help
Back to top
Mental Floss
Guest
Posted: Wed Jan 19, 2005 1:01 am    Post subject: RE: Special Privileges about computers and users objects in Reply with quote
Hi:

You can delegate the control of these tasks to a Security Group that you
want to administer only these responsibilities. To do this, go to the OU and
right click on the OU and select: Delegate control...

Follow the wizard and choose Custom Attributes. Within those attributes,
you can assign only the Right to move User objects and Computer objects
within the OU to the security group you selected. If you want, you can even
customize an MMC for them so that they will only have access to the OU that
they need.

For more information, go here
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

or here
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbc_logi_tnqr.asp

or here:
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/deploy/dgfd_adm_gpby.asp

-MentalFloss



"Olric El Mundo Spain" wrote:

Quote:
Good Afternoon,

We're looking for special privileges in active directory that ONLY PERMIT
MOVING computers objects or users objects in a organization within OU or
within subOUs. We were looking for creating a special politic dedicated only
to people who have the responsability to move machines from dpt into another
dpt, and in that case they must change the computer and the user account from
the previous Organizational Unit to the new one but they CANNOT DO another
thing about this computer or user.

If you know the best way to put those privileges on, please answwer in this
newsgroup or send mail to olric.guilloux@elmundo.es or
angel.gonzalez@elmundo.es

Thanks a lot for your help
Back to top
Joe Richards [MVP]
Guest
Posted: Thu Jan 20, 2005 6:47 am    Post subject: Re: Special Privileges about computers and users objects in Reply with quote
The minimum permissions you can grant to allow moves is

1) DELETE on the object being moved or DELETE_CHILD on the source container
2) WRITE_PROP on the object being moved for RDN and CN.
3) CREATE_CHILD on the target container

You can't get any better with assigning perms. If that is too much, write a
proxy website to do the work on their behalf.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Olric El Mundo Spain wrote:
Quote:
Good Afternoon,

We're looking for special privileges in active directory that ONLY PERMIT
MOVING computers objects or users objects in a organization within OU or
within subOUs. We were looking for creating a special politic dedicated only
to people who have the responsability to move machines from dpt into another
dpt, and in that case they must change the computer and the user account from
the previous Organizational Unit to the new one but they CANNOT DO another
thing about this computer or user.

If you know the best way to put those privileges on, please answwer in this
newsgroup or send mail to olric.guilloux@elmundo.es or
angel.gonzalez@elmundo.es

Thanks a lot for your help
Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Active Directory All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB