We have a user that we want to give rights to create/delete computer objects in an OU.
I granted these rights and it works fine.

The problem is on some existing computer accounts when they try and delete the object via script they they get Access denied, you do not have sufficient privileges to delete xxx. I tried as the user in ADUC and got a warning "Object xxx contains other objects. Are you sure you want to delete object xxx and all the objects it contains"

I then traced this back to working out the computer object contains and MSMQ configuration.

What rights do I need to assign the user for them to be able to delete the object from AD including this "MSMQ configuration" and when scripting is there a switch they can use to skip the warning?

BTW,
I have granted Delete "MSMQ Queue Alias objects" & Delete "MSMQ Group objects".

• Edited by Calzor_Suzay Tuesday, July 14, 2015 11:38 AM

I know all that and yes I can delete it as a domain admin...

I need to know what rights to set so that a restricted account using a script can remove it.

Hi Calzor_Suzay,

>>I need to know what rights to set so that a restricted account using a script can remove it.

You could use the Delegation of Control Wizard to release the permission for the specific user to manage the OU.

https://technet.microsoft.com/en-us/library/Cc732524.aspx

You could follow Morgan Simonsen's log for a reference. Based on my testing, you need to select both "create selected objects in this folder" and "Delete selected objects in this folder" for achieving the goal: create/delete computer objects.

https://morgansimonsen.wordpress.com/2013/12/17/delegating-computer-object-management-tasks/

If you have any problem related to the issue, please feel free to contact us.

Best Regards,

Mary Dong