Powershell – Move-ADObject Access is Denied when using limited access credentials

active-directorypowershell

I have OU folders in the root of my AD that look similar to this:

AA
--AB
BA

All of these OU's contain computer accounts. I have a computer in BA that I want to move to AB. I am using credentials that are not Domain Admin credentials and have very limited access to resources. The credentials have full access to AA, AB, and BA.

If my computer is in BA and I issue the following powershell command:

Move-ADObject -Identity $myComp -TargetPath "OU=AB,DC=contoso,DC=com" -Credentials $myCred

Then it fails with Access Is Denied. However, if the same exact computer account resides in AA, then this same statement works fine. I can also move it from AB to BA without issue.
I have verified that none of the OU's has the prevent from accidental deletion option turned on. I can move back and forth between AA and AB, I just can't move there from an OU with a different root.

I can't think of anything else to do to diagnose. So, I am asking for input to see if anyone else knows how to diagnose what is going on and perhaps find where the access is denied is coming from.

Best Answer

It turns out that Create Computer objects and Delete Computer objects are not all the privileges required to make this work. You also need to have Write-Property for Common-Name ({bf96793f-0de6-11d0-a285-00aa003049e2}) or for Public Information ({e48d0154-bcf8-11d1-8702-00c04fb96050}). I don't see a way to manipulate the Write Common-Name privilege, so allowing Write to Public Information seems to be the least privilege option.

If you are creating a new Computer object from a low privilege account, the easiest way to do this is to create an ACE for the OU that applies to descendant computer objects and grants the Write public information privilege (under Properties: in the Windows Server 2012 R2 ACE editor UI, but only if you restrict to Descendant Computer objects) to the low privilege account. This privilege allows the name to change and, along with Create Computer objects on the target OU and Delete Computer objects on the source OU, should allow the Move-ADObject cmdlet to function as expected.

Related Solutions

RDP – System Administrator Restricts Use of Saved Credentials for Remote Login

If you don't want to change local or server side GPOs:

Go to Control Panel -> Credential Manager on the local computer you are trying to connect from.
You will see three sections:

Windows Credentials
Certificate-Based Credentials
Generic Credentials

Remove the credentials from Windows Credentials and add it to Generic Credentials.

Powershell – Move-ADObject errors upon taking CSV-file input

I've found its easier to get the object then to move the object. You need to pass an AD object to Move-ADObject when using the pipeline, or you can pass a completed identity. So you'll retrieve the ADUser, then preform actions on it, i.e. pass it to Move-ADOject.

Import-CSV C:\Path\To\CSV\file.csv | ForEach-Object { Get-ADUser -Identity $_.Name | Move-ADObject -targetpath "OU=Region1/2,OU=OU2,OU=OU1,DC=Something,DC=local" }

If you can gaurentee that to can build the whole identity string on the fly, then you method could be possible. The CSV would have to contain the identity string though, "CN=Test User,OU=OU2,OU=OU1,DC=Something,DC=local"

I can't seem to add a comment to the other answer, but I can explain why your having the string issue. It has to do with $_ variable expansion within the quoted string. You can see this demonstrated here.

PS C:\> Import-Csv .\test.csv | %{$_.name}
Test User
PS C:\> Import-Csv .\test.csv | %{"$_.name"}
@{Name=Test User; SamAccountName=TU; displayName=Test User}.name
PS C:\> Import-Csv .\test.csv | %{"$($_.name)"}
Test User

My test.csv file contains:

Name,SamAccountName,displayName
Test User,TU,Test User

The string expansion just parses the $_ within the string, using $( [variable] ) tells powershell to expand the variable within the string.

So using this should work

Import-CSV C:\Path\To\CSV\file.csv | %{ Move-ADObject -identity "CN=$($_.Name),OU=OU2,OU=OU1,DC=Something,DC=local" -targetpath "OU=Region1/2,OU=OU2,OU=OU1,DC=Something,DC=local" }

Best Answer

Related Solutions

RDP – System Administrator Restricts Use of Saved Credentials for Remote Login

Powershell – Move-ADObject errors upon taking CSV-file input

Related Topic