Joe and Jorge posted these back in 2005 and 2006, but they’re impossible for me to find in Google lately, possibly because of age:
In order to move an object in DS, you need the following three permissions:
1) DELETE_CHILD on the source container or DELETE on the object being moved
2) WRITE_PROP on the object being moved for two properties: RDN (name) and
CN (or whatever happens to be the rdn attribute for this class, i.e. ou for
3) CREATE_CHILD on the destination container.
SDE, Active Directory Core
This posting is provided “AS IS” with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
But, what, specifically does that mean?
- To provide these rights, after delegating control for the Creation and Deletion of the object (Computer/User/etc.), open ADSIEDIT.MSC and navigate to the OU in question.
- Right-click the OU and choose “Properties”
- Click on the “Security” tab.
- Click the “Advanced” button.
- Click the “Add” button to add a new security right.
- Enter the group you want to delegate the control to and click “OK”
- Choose the “Properties” tab.
- In the pulldown, choose “Descendent Computer Objects”
- Read and Write canonicalName
- Read and Write name
- Read and Write Name