Home

Tutorials

Active Directory

Delegate Moving User, Group and Computer Accounts Between Organizational Units in Active Directory (EN)

This Wiki article shows the permissions needed to delegate moving user, group and computer accounts between Organizational Units in Active Directory.

This is summarized in the following table:

Object	Organizational Unit	Permission Tab	Apply to	Permission
User	Source Organizational Unit	Object	This object and all descendant objects (*)	Delete User objects
		Properties	Descendant User objects	Write Distinguished Name
		Properties	Descendant User objects	Write name (**)
		Properties	Descendant User objects	Write Name (**)
	Destination Organizational Unit	Object	This object and all descendant objects (*)	Create User objects
Group	Source Organizational Unit	Object	This object and all descendant objects (*)	Delete Group objects
		Properties	Descendant Group objects	Write Distinguished Name
		Properties	Descendant Group objects	Write name (**)
		Properties	Descendant Group objects	Write Name (**)
	Destination Organizational Unit	Object	This object and all descendant objects (*)	Create Group objects
Computer	Source Organizational Unit	Object	This object and all descendant objects (*)	Delete Computer objects
		Properties	Descendant Computer objects	Write Distinguished Name
		Properties	Descendant Computer objects	Write name (**)
		Properties	Descendant Computer objects	Write Name (**)
	Destination Organizational Unit	Object	This object and all descendant objects (*)	Create Computer objects

(*) If you would like to allow moving a user, group or computer object from an Organizational Unit and not its sub-Organizational Units, you can choose This object only as the value of Apply to.

(**) note that "Write name" (lower case) and "Write Name" (upper case) refer to different property permissions - setting both is required.

Remark 1: In Active Directory Users and Computers administrative tool (dsa.msc), distinguishedName is a filtered property that is not displayed by default. You might want to use adsiedit.msc instead, where the property filters do not apply. Alternatively, you might change the "distinguishedName" property value from 7 (filtered) to 0 (not filtered) in the [computer] [user] and [group] sections of the dssec.dat file as described in the following article:

How to Allow the Delegation of Filtered Properties in Active Directory Users and Computers:

doc.asp?docid=1739&mcat=4&mrub=41&msrub=63

Remark 2: To be able to delegate only moving user, group or computer objects between Organizational Units with no extra permissions (such as administrator permissions), you can refer to "Using scripts running with service accounts to achieve administrative tasks" Section in the following article.

Delegation of Administration in Active Directory:

doc.asp?docid=1728&mcat=4&mrub=41&msrub=63

The latest tutorials

23/03/2019 How to identify active hosts in your networks and perform horizontal TCP port scans

06/03/2019 Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls

09/02/2019 An Effective Approach to Protect Administrative Accesses to Your Datacenters and Cloud Resources

17/01/2019 How to create a Lag Site for your Active Directory Domain Services setup

About Tunit

Tunit helps you plan your Microsoft systems integration and administration.

Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.

View more