Unable to move OU in Active Directory (Access is denied)
Background
I tried moving an OU in Active Directory today and received an Access is denied error. Upon further inspection of my AD user account I had the necessary permission to move the object (I had full permission on the set of OUs I was working with) and I have moved items multiple times in AD over the course of my IT career; which also makes it a little odd that I just ran into this for the first time now, but nonetheless.
What I tried
- Giving my individual AD user account permission to the particular OUs as opposed to just the AD Security Group I was a part of that had permission on the OUs already
- Using a Domain Admin account to try the move
- Resetting my user account password then logging off and on and opening AD and moving the OU
- Tried connecting to a different Domain Controller and performing the move
- Tried connecting to AD through a different server with RSAT installed and performing the move
All of these ended without success.
The Question
Why can I not move an OU in Active Directory to another OU when I have full permission on both OUs?
Solution 1:
Although there are multiple posts dealing with accidental deletion protection, ACEs/ACLs, permissions, and moves/deletes in general, I couldn’t find one dealing with my specific issue however simple it may be.
Answer
If you’re getting an Access is denied when trying to move an OU that you know you have permission to, simply follow these steps:
- Right-click the OU, or object, in question and select Properties
- From here navigate to the Object tab; if you don’t see the Object tab click View on the top file menu and select Advanced Features, then repeat step 1.
- On the Object tab you’ll see an option to “Protect object from accidental deletion”. If it’s checked, simply uncheck it.
- Move the OU to the desired location
- Repeat steps 1 and 2, and then check the box to enable deletion protection on the object again.
Microsoft treats a move as a delete in AD so even though you’re not technically deleting the OU, the operation of moving it implies a delete of the object in the process and that is why you can’t move it even though your user account may have full control over that particular OU/Object in AD. Hope this helps anyone banging their head against a wall like I was.