0 votes

I have a root OU that I created called Disabled. I want to give the Computer Manager role the necessary permissions to move a computer to any OU/sub tree desired. They can move them to the root, built-in computer OU but nothing else. What Permissions do I need to give them? Thanks!

by (360 points)

1 Answer

0 votes
by (18.0k points)
selected by
Best answer

Hello,

To move computers, a user must be granted two permissions:

  1. Move Objects from Container (applied to Computer objects)
  2. Move Computer Objects to Container (applied to Container and OU objects in your scenario)

The first permission must be assigned over the computers that you want to allow moving.
The second permission must be assigned over the target OUs/containers (where computers will be moved).

  1. Select the Computer Manager role in the Console Tree and click Add in the Result Pane.
  2. In the dialog that opens, select the Computer object type in the object type list.
  3. In the General Permissions section, select Allow for the Move Objects From Container permission.

Users will be able to move only the computers included in the activity scope of the Computer Manager role.

Now you need to specify to which OUs/containers users will be able to move computers. It is recommended to use a separate role for this purpose.

  1. Run the Security Role Creation wizard.
  2. At the 2nd step of the wizard, click Add. The Add Permissions dialog will open.
  3. In the object type list, select Container and Organizational Unit.
  4. In the Operations on child objects list, select Allow for the Move Objects to Container permission.
  5. Click the Select object types link, select the Computer object type and click OK.
  6. At the 3rd step of the wizard, select a user or a group in the Assign to list, and click Assign.
  7. Select the Disabled OU, click Add and select the This Organizational-Unit object option. If you want to allow moving computers to the OUs located under the Disabled OU, select the Child objects of this Organizational Unit option.
  8. Click OK two times.
  9. Click the Assign button once again.
  10. In the Object Types drop-down list, select the Container object type.
  11. Select the built-in Computers container, click Add, configure Assignment Options, and click OK two times.
0
0

Thank you working great!

0

Hi

I have followed this instruction, but with groups as targets.

I have a Security role with following permission:
- Move Objects From Container (Apply to Group).
- Move Objects From Container (Apply to Organizational-Unit)
- Move Group Objects To Container (Apply To Organizational-Unit)

But I get an Access Denied when trying to move a group within the scope.
I'm member of the Security Role.

Do I need more permissions ?

- Thanks

0

Hello,

Could you provide us with a screenshot of Security Role with Assignments? We need something like the following:

Also, could you post here or send us names of source and target containers (e.g. example.com\Departments\IT) for group move action?

0


"Assistant" attribute on the groups are working in another situation.

Groups are to be moved within a limited scope, like:
-Groups
-- Category1
-- Category2
-- Category3

The "assistant" should be able to move his groups from eg. Category1 to Category3.

Thanks

0

Hello,

The issue occurs because in case of move operation permissions of the Trustee (Assistant in your case) are checked twice. Before moving a group from an OU, Adaxes checks whether the initiator is the Assistant of the group, then before moving to the OU, Adaxes checks whether the initiator is the Assistant of the OU. As long as OUs have no Assistants, Adaxes returns Access Denied error. To remedy the issue, you need to create another Security Role that will allow all users to move groups to the OUs under Groups OU. The role will be like the following:

As long as this role allows all users to move groups to the OUs, it can happen so that a user that is not an Assistant of a group (but has permissions to move groups from other OUs) moves it to one of the OUs under Groups OU. To avoid such situations, you can create a Business Rule that will cancel such invalid move operations. If you need this, we will provide you with detailed instructions.

0

Yes, works :D :D :D

- Thanks

Related questions

0 votes
1 answer

What is the minimum permission required to move user accounts between OUs?

asked Feb 14, 2012 by BradG (950 points)
0 votes
1 answer

What permissions does a Trustee (Specifically a Manager or Owner) need over a Managed Object to make it visible in their My managed objects? The Trustee can view their ... missing read permissions of specific attributes, which are the minimum I need to allow?

asked Nov 2, 2023 by Viajaz (210 points)
0 votes
1 answer

What permissions are required in Exchange Online to use the "Cancel meetings organized by the user"?

asked Jun 5, 2023 by william.malone (60 points)
0 votes
1 answer

We are looking to automate moving of computers from the staging OU we start them in to the office specific OU we have setup in AD. Currently, they all sit in one OU ... it comes online at a new IP. Can you provide instructions or scripting to accomplish this?

asked Aug 18, 2017 by willy-wally (3.2k points)
0 votes
1 answer

What permissions are required, other than Domain Admin, to edit the Adaxes configuration (business rules, property patterns, custom commands, etc.) in the console and the edit the web portal configurations in the AdaxesConfig web site?

asked Dec 6, 2019 by RickWaukCo (320 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users