Been a while since I did some AD delegation work. As part of an automation I am developing, I wanted to delegate rights to move user objects between two OUs. I thought it would be simple in terms of permissions:
- On the source OU (where the account is) delegate rights to delete user objects.
- And on the destination OU (where the account is going to) delegate rights to create user objects (in my case I gave full control as this was just a throwaway OU).
This always trip me up in the delegation wizard as it’s not very obvious.
What you need to do at this stage is select the “custom task” option.
And then click “Next”.
And here tick “creation/ deletion” of specific child objects, scroll down, and then select eithr “Create User Objects” or “Delete User Objects” as needed.
In my case, however, Move-ADObject
kept giving an access denied error. The permissions were correct – because I could delete a user object from the source OU and create one in the destination OU, it’s just that I can’t move things.
I came across this StackOverflow post and that helped. Turns out in the source OU I need to grant this additional permission:
“Read and write public information” for User Objects.
Maybe this is needed so the OU Name attribute of the user object can be changed? That’s one of the properties that comes under public information.