Yes, you can delegate the permission at the Computers container level. As to the repurcussions - it could be worse. If the most damage one can do is to delete some computer accounts, then that's a mitigatable risk - given that the alternative is that they won't be able to move them.
I wouldn't leave anything in the container that you don't want them to mess with. But - we are talking about computer accounts. If they were user accounts, this would be a quite different conversation. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of cflesher > Sent: Wednesday, November 06, 2002 10:56 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Move computer within domain question.... > > > Thanks for the response. I'm not sure if that's a solution, > though. If I have to manually give that right to each object > in the Computers container, it sort of defeats the purpose of > delegating out the authority. Is giving them full control > over the Computers container itself the same thing? Can you > see any repucussions to this approach? > > Chris Flesher > The University of Chicago > NSIT/DCS > 1-773-834-8477 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of Rick Kingslan > Sent: Wednesday, November 06, 2002 10:19 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Move computer within domain question.... > > > Chris, > > You're likley going to have to give them Full Control on the > Computer objects in the Advanced properties in the Computer > Container and the target OU. You're not giving up much by > giving them FC on a computer object - because if you want > them to move it, they have to be able to delete it, as you've > stated. But, there is a change of permissions that really > only does come with FC on the object. > > Try this and let me know if that works. I have this > documented, but not on hand at the moment. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of cflesher > Sent: Wednesday, November 06, 2002 9:14 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Move computer within domain question.... > > > I'm trying to delegate authority to a user to move computer > objects from the Computers Container to another OU. What > permissions are required to do this? I gave the user > create/delete computer objects for the Computer Container and > create/delete computer objects for the target OU. However, > this user is still getting errors. Any help would be appreciated. > > Chris Flesher > The University of Chicago > NSIT/DCS > 1-773-834-8477 > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
