We have a user that we want to give rights to create/delete computer objects in an OU.
I granted these rights and it works fine.

The problem is on some existing computer accounts when they try and delete the object via script they they get Access denied, you do not have sufficient privileges to delete xxx. I tried as the user in ADUC and got a warning "Object xxx contains other objects. Are you sure you want to delete object xxx and all the objects it contains"

I then traced this back to working out the computer object contains and MSMQ configuration.

What rights do I need to assign the user for them to be able to delete the object from AD including this "MSMQ configuration" and when scripting is there a switch they can use to skip the warning?

BTW,
I have granted Delete "MSMQ Queue Alias objects" & Delete "MSMQ Group objects".

• Edited by Calzor_Suzay 19 hours 24 minutes ago

Hi Calzor,

Thanks for your post.

The warning comes because a computer object is a container for other objects. Compare it to an OU for example. An attached printer to a workstation could render this warning. In your scenario, it is MSMQ. If you turn on the "view users, computers as containers" in Active Directory Users and Computers you'll see the various objects in your computer object. Then in the console tree, right-click MSMQ. Click delete. When prompted, click Yes.

https://technet.microsoft.com/en-us/library/cc736601(v=ws.10).aspx

If you have any other information related to the issue, please feel free to contact.

Best Regards,

Mary Dong