The question “what permissions do I need to delegate to move objects between OUs?” seems to crop up in the newsgroups again and again.
Whenever I encounter the question I post some info originally posted to the groups by Dmitri Gavrilov back in 2003. If you don’t know who Dmitri is, he is one of the DS Core Developers at MS and is quite intelligent and very helpful/active in the DS newsgroups. If you post a question and you get a response from Dmitri, you should tend to listen to what he says because there aren’t many people responding in the newsgroups that have better information than he does.
So for the sake of documenting this in yet another place I give Dmitri’s response to the question “What permissions do I need to delegate to allow someone to move objects between OUs?”.
In order to move an object in DS, you need the following three permissions:
1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and
CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
org units).
3) CREATE_CHILD on the destination container.—
Dmitri Gavrilov
SDE, Active Directory CoreThis posting is provided “AS IS” with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
The little bit I will add to this (a little hopefully value add) is that MS realizes that having to have create child and delete child on the containers is a painful thing in some environments just to move an object. They do realize that there should be a “move” permission of some sort. Maybe someday, we might get it.
If you don’t trust the people whom you want to give the move rights to to not do other bad things, I recommend you do what you probably should have done initially, set up some sort of proxy system for them to do their work through, probably web based. Instead of delegating out direct permissions to do the work, you delegate the ability for them to request the work be done on their behalf through some front end. Then this front end passes the request to some middleware which determines if all business rules are being followed, logs the request, and performs the work on the backend and logs the result.
This sounds like a lot but results in a much safer and secure environment. An environment where you aren’t constantly asking, how did this or that happen or how did that get deleted or moved, etc.
We now return you to your regularly scheduled program…
A very good example of Web Based AD Management Solution, take a look
http://www.rallenhome.com/conferences/RAllen_Automating_Active_Directory_Management.ppt