AD 2003

For GPO application purposes (and profiling computer strategy), I need to
delegate the "create/delete computer Object" admin to a simple user.
No problem for the user to create, disable,delete the computer in the
"Computers OU and children OUs).
But "Access Denied" when the user try to move the computer object between my
2 children OU (Lightly Managed & Highly Managed).

Computers OU
|-----Lightly Managed (Lightly Managed GPO is applied)
|-----Highly Managed (Highly Managed GPO is applied)



I know by article
http://www.microsoft.com/technet/tre...hnet/prodtechn
ol/windowsserver2003/proddocs/standard/dsadmin_computers_move_account.asp
that to perform this procedure the user should be a member of the buitin
groups "account operator", or "domain admins" or "enterprise admins".
They talk about an appropriate authority to delegate ????

Does someone know the permission/right I need to give the user?

Assuming that move is
from: lightly managed
to: highly managed

You have to add 3 rights for this operation:

On lightly managed ou:
a)
User has to have right to delete child objects of computer
type.d
b)
User has to have right to modify "name" attribute of child
objects of computer type.


On highly managed ou:
c)
User has to have right to create child objects of computer
type.

These rights can be added by using adsiedit.msc UI.

You may consider to create gorup computerMovers and give
the rights to this group.

Note:
(b) might be tricky. Be careful to give the right only for
child objects. For inheritance options on security tab of
adsiedit.msc make sure to select "apply only to computer
objects"

Gokay
This posting is provided "AS IS" with no warranties, and
confers no rights

Check out Knowledge Base Article - 818091