This article describes how to grant permission to move computer accounts to a designated user or group. Occasionally you may want to move computer accounts to reflect changes in organizational or managerial structure, to account for a transfer of equipment ownership, or to make it easier to apply Group Policy.
For example, many organizations put all new computer accounts in the
Computers container in Active Directory. However, this makes it difficult to keep track of which computers belong to which departments. Additionally, Group Policy cannot be applied to the
Computers container because it is not an organizational unit. When you keep all computer accounts in the same container, this also limits your ability to delegate administrative control of those accounts. By moving accounts to the appropriate Active Directory organizational unit, this more accurately reflects the actual distribution of resources in the organization, and it enhances your ability to delegate administrative duties.
To grant permission to move computer accounts to a designated user or group, first identify the user or group that will be granted this permission, and then identify the destination organizational unit where computer accounts will be moved. Next, grant the user or group permission to remove computers from the present location (for example, the
Computers container), and then grant the user or group permission to move computers to the destination organizational unit. To do this, follow these steps.
Back to the top
Step 1: Identify the User or Group and the Destination Organizational Unit
To grant permission to move computer accounts to a designated user or group, you must first:
| • |
Identify the user or group that will be granted permission to move computer accounts.
-and- |
| • |
Identify the destination organizational unit where the user or group will be permitted to move computer accounts. |
Back to the top
Step 2: Grant the User or Group Permission to Remove Computers from the Computers Container
| 1. |
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. |
| 2. |
In Active Directory Users and Computers, click View, and then click to select Advanced Features. |
| 3. |
Right-click Computers, and then click Properties. |
| 4. |
Click the Security tab, and then click Advanced. |
| 5. |
In the Access Control Settings for Computers dialog box, click Add, click the name of the user or group to whom you want to grant permission to remove computers from the Computers container, and then click OK. |
| 6. |
In the Permission Entry for Computers dialog box, click This object only in the Apply onto list. |
| 7. |
In the Permissions list, find the Delete Computer Objects permission, click to select the Allow check box next to this permission, and then click OK. |
| 8. |
In the Access Control Settings for Computers dialog box, click Add, click the name of the user or group to whom you want to grant permission to remove computers from the Computers container, and then click OK. |
| 9. |
Click the Properties tab, and then click computer objects in the Apply onto list. |
| 10. |
In the Permissions list, find the Write All Properties permission, click to select the Allow check box next to this permission, and then click OK three times. |
Back to the top
Step 3: Grant the User or Group Permission to Move Computers to the Destination Organizational Unit
| 1. |
In Active Directory Users and Computers, right-click the destination organizational unit where the users or group will be permitted to move computer accounts, and then click Properties. |
| 2. |
Click the Security tab, and then click Advanced. |
| 3. |
In the Access Control Settings for Computers dialog box, click Add, click the name of the user or group to whom you want to grant permission to move computers into this container, and then click OK. |
| 4. |
In the Permissions list, find the Create Computer Objects permission, click to select the Allow check box next to this permission, and then click OK three times. |
