2008R2 AD: Delegated permissions to move user objects not working only for 1 sub-OU
hi - in our 2008r2-level ad, have service account powershell script runs nightly in order sync user attributes & re-organize staff user objects sub-ou's, per authoritative data our hr system. there's "staff" ou , various sub-ou's defined our internal organizational structure. staff user objects in sub-ou's. i've delegated account appropriate permissions on staff ou , can confirm propogating down sub-ou's expected. works fine except 1 of sub-ou's. in particular sub-ou, service account can modify user attributes, attempts move user object in sub-ou sub-ou @ same level fail "access denied". sub-ou happens. service account can move user objects between of other sub-ou's, , can move user objects sub-ou, cannot move user objects out of sub-ou.
i've gone through line-by-line on advanced security properties of sub-ou compared @ same level, , identical. i've tried re-delegating permissions no avail. i've run adu&c mmc service account, , experience same "access denied" error when try move user objects out of sub-ou manually via drag 'n drop (to elimiate ps code potential problem point). i've verified users trying move out of sub-ou not have "protect object accidental deletion" option checked.
this ad implementation precedes employment, , there lot of legacy stuff in here. i'm not sure else check. have ideas on things should check?
thanks in advance.
Windows Server > Directory Services
Comments
Post a Comment