Active Directory Permissions: Delete vs Move

active-directorydelegationpermissions

I want our help desk to be able to move user accounts but NOT delete them. Here is the summary of our current permissions set on the affected OU's (this DOES allow them to delete user accounts):

Allow – Full Control – Descendant User objects
Allow – Create/Delete User objects – This object and all descendent objects

If I change that top row by editing the ACE and unchecking the "Delete" box, I get my desired result of the help desk being unable to delete user objects. However then they get Access Denied errors when they try to move users between OUs.

Is what I want possible? Does Microsoft seriously not distinguish moves versus deletions?

Best Answer

Logically a "move" is a copy (or in filesystem parlance a hard link) followed by a delete: you can't move something if you can't remove it from its original location.

So no, Microsoft doesn't distinguish between "move" and "delete" because in order to do the former you must, by necessity, do the latter.

If you want to prevent accidental deletion of user accounts/objects within AD you can set them to "Protect object from accidental deletion" either manually on the Object tab of the user in ADUC:

enter image description here

or you can script it for every user object in AD all at once:

Get-ADObject -filter {(ObjectClass -eq "user")} | Set-ADObject -ProtectedFromAccidentalDeletion:$true

Related Solutions

Active Directory – How to Find Name of Active Directory Domain Controller

On any computer, that has DNS configured to use AD's DNS server do:

Start -> Run -> nslookup

set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME

Replace DOMAIN_NAME with the actual domain name e.g. example.com. Read more here.

Active Directory running slow (When browsing the directory)

Well, there's a lot more to do, since you really haven't done much. The tests you ran don't test performance, and as far as I can tell, you've only tested from one client, so we can't even rule out that it's a client issue.

In order, I would:

Try to replicate the symptoms from other clients to determine if it's client-side issue or not.
Do a high-level check of network utilization when the issue occurs, to make sure there isn't a correlation to a spike in traffic.
Set up performance monitoring on the server(s) in question.
- It could be that the domain controller you're connected to it running at a high utilization of some resource (bandwidth, concurrent connections, CPU disk queue, etc.) and the delay is a result of your request being queued.
- In fact, I had the same issue with the main DC in our organization because the CPU was getting tapped out periodically during the work day, so before setting up a full battery of perfmon monitors, I'd RDP into the server, open up task manager and see if RAM, CPU, network or disk I/O are maxing out when this problem surfaces.

If none of that discovers your problem, I'd be surprised, but you'll at least have a better basis for advanced troubleshooting and looking into potential bugs with ADDS and your DC OS versions, scanning through MS hotfixes and looking for KBs that might relate to your situation.

Best Answer

Related Solutions

Active Directory – How to Find Name of Active Directory Domain Controller

Active Directory running slow (When browsing the directory)

Related Topic