Create a global security group which have full control priviledge to manage an OU and able to moving computer objects in Active Directory built in Computers container into an OU created earlier without using builtin group Account Operators.
System: Windows Server 2008 R2
– Create Global Security group and new OU
1) Logon as Administrative privileges your Windows Server AD DC.
2) Create a Global Security Group,example I create group with name IT AD Admin then I add username test as a member of IT AD Admin group.
3) Create new OU called Bali and new OU Computers inside it,the OU later will delegate controls to IT AD Admin group.
– Delegate Control Bali OU
1) Right-Click Bali OU choose Delegate Control… -> click Next -> search and add IT AD Admin group click Next
2) Select Create a custom task to delegate -> click Next
3) Select This folder, existing objects in this folder, and creation of new objects in this folder -> click Next.
4) Check all options -> click Next -> click Finish
– Delegate Control builtin Computers containers to IT AD Admin group so can move computer object to Bali OU > Computers OU
1) Right-Click builtin Computers container and select Properties
2) Click the Security tab and click the Advanced button
3) Click the Add button, search IT AD Admin group then add and click OK.
4) Select Apply to: This Object and all descendant objects, under Permissions box select Create Computer objects and Delete Computer objects then click OK.
5) Repeat step 1-3
6) Select Apply to: Descendant Computer objects, under Permissions box select Write all properties then click OK.
Finish, do some test.
– Create,delete object inside Bali OU.
– Moving computer object after computer join into domain to Bali > Computers OU