To move Active Directory objects from one Organizational Unit to another, a user must be granted two rights:
If a user is granted the Move Objects From Container right for an Active Directory object, the user can move the object out of its current OU. If a user is granted the Move Objects To Container right for an OU, the user can move objects to that OU.
The Move Objects From Container right must be assigned on the AD objects that you want to allow moving. The Move Objects To Container right must be assigned on the Organizational Units which you want to allow moving objects to. Depending on your requirements, sometimes it is better to use two Security Roles to delegate the permissions - one role will grant the Move Objects From Container right, and the other role will grant the The Move Objects To Container right.
In this tutorial you will learn how to create a Security Role that will grant the permissions necessary to move objects in Active Directory and how to assign the role to users so that they could move objects to/from specific Organizational Units only.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role.
Enter a name for the new Security Role and click Next.
To add the permission to move objects out of OUs (Move Objects From Container):
Click the Add button. The Add Permissions dialog will open.
In the General permissions list, check the Move Objects From Container permission in the Allow column.
To add the permission to move objects to OUs (Move Objects To Container):
Click the Add button again.
In the Operations on child objects list, check the Move Objects To Container permission in the Allow column.
To allow moving only specific types of Active Directory objects, click Select object types and select the object types you need.
It is a good practice to add the Read permission to all Security Roles. It will ensure that users have the right to view the objects they manage. By default, the rights to view Active Directory objects are granted by built-in Security Role Domain User. It is recommended to add the Read permission because the default rights can be changed.
Click OK. On the Permissions page of the wizard, you will see the permission you have added.
On the Assignments step, click Add to assign the Security Role to users.
Select the users and groups whom you want to assign the permissions to, and click Next.
Select the scope of objects which you want to assign the permissions on.
Select the following items:
All Objects - select to allow moving any object to any Organizational Unit in all domains managed by Adaxes.
Specific Domain - select to allow moving any object to any Organizational Unit within a specific domain.
Container - select to apply the permissions to a container (such as Organizational Unit). The Move Objects From Container permission will allow moving objects located in the selected container out of the container. The Move Objects To Container permission will allow moving objects to the selected container.
Group - select to allow moving members of a group out of their Organizational Unit or container.
Business Unit - select to allow moving members of a Business Unit out of their Organizational Unit or container. If the selected Business Unit includes containers (e.g. Organizational Units), the assignment will allow moving objects to the containers. To select a Business Unit, open the Look in drop-down list and select the Business Units item.
When done, click Finish to complete the Assign Role wizard.
Click Finish to complete the Create Security Role wizard.