AD – Delegate permissions to add / delete / move / modify computer objects

Our goal here is to delegate permissions for creating, deleting, moving, modifying computer objects in specified OU by specified group without being given full control over the object or OU.

Go to OU Properties -> Security -> Advanced -> Add, then select principal (group or user you want to delegate permissions to), type – Allow.

Permissions Tab
Apply onto This object and all descendant objects

  • Create Computer objects
  • Delete Computer objects

2015-02-05 08_12_12-sneu2013 - Remote Desktop Connection 2015-02-05 08_12_50-sneu2013 - Remote Desktop Connection

Permissions Tab
Apply onto Descendant Computer Objects

  • List Contents
  • Read All Properties
  • Delete
  • Delete Subtree
  • Read Permissions
  • All Validated Writes
  • All Extended Rights

2015-02-05 08_17_33-sneu2013 - Remote Desktop Connection

Properties Tab
Apply onto Descendant Computer Objects

  • Write  Account Restrictions
  • Write Computer name (pre-Windows 2000)
  • Write Description
  • Write msDS-User-Account-Control-Computed
  • Write msDS-UserPasswordExpiryTimeComputed
  • Write userParameters
  • Read Personal Information
  • Write Personal Information
  • Read Public Information
  • Write Public Information

2015-02-05 08_23_19-sneu2013 - Remote Desktop Connection

At the end you just have to confirm change of permissions:

2015-02-05 08_27_24-sneu2013 - Remote Desktop Connection

 

If you want to delegate only move permissions, apply only these settings which are marked with green color above. Remember that it has to be done on both – source and destination OU.

One thought on “AD – Delegate permissions to add / delete / move / modify computer objects

  1. When i go to effective permissions to check settings im still getting a red X on Delete Computer objects. any help would be great thanks!

Leave a Reply