How to Grant Permission to Move Computer Accounts to a User or Group
http://support.microsoft.com/kb/818091
Summarising this article, the permissions you need to allocate to an account object for creating and moving (deleting!) computer accounts in the domain.
Create account in OU
Read access for OU's from the top-level domain, down the tree to the OU. Very Important
Create/Delete "Computer Objects"
Reset/Change Password for "Computer Objects"
As per Create
Write all properties this is the key permission that allows objects to be moved out of the OU
No comments:
Post a Comment