(*) If you would like to allow moving a user, group or computer object from an Organizational Unit and not its sub-Organizational Units, you can choose This object only as the value of Apply to.
(**) note that "Write name" (lower case) and "Write Name" (upper case) refer to different property permissions - setting both is required.
Remark 1: In Active Directory Users and Computers administrative tool (dsa.msc), distinguishedName is a filtered property that is not displayed by default. You might want to use adsiedit.msc instead, where the property filters do not apply. Alternatively, you might change the "distinguishedName" property value from 7 (filtered) to 0 (not filtered) in the [computer] [user] and [group] sections of the dssec.dat file as described in the following article:
How to Allow the Delegation of Filtered Properties in Active Directory Users and Computers:
doc.asp?docid=1739&mcat=4&mrub=41&msrub=63
Remark 2: To be able to delegate only moving user, group or computer objects between Organizational Units with no extra permissions (such as administrator permissions), you can refer to "Using scripts running with service accounts to achieve administrative tasks" Section in the following article.
Delegation of Administration in Active Directory:
doc.asp?docid=1728&mcat=4&mrub=41&msrub=63 |