![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 94%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
In Active Directory, to allow IT Support staff to move user objects between Organizational Units (OUs) without granting permissions to create or delete user accounts, you need to carefully manage the permissions assigned to them.
For the MOVE operation, the following permissions are indeed required:
- DELETE_CHILD permission on the source OU (or DELETE permission on the object being moved).
- WRITE_PROP permission on the object for the Relative Distinguished Name (RDN) and Common Name (CN).
- CREATE_CHILD permission on the destination OU.
However, if you want to restrict the ability to create or delete user accounts while still allowing the MOVE operation, you can achieve this by:
- Granting the necessary permissions for the MOVE operation as listed above.
- Explicitly denying the CREATE and DELETE permissions on the user objects themselves within the OUs.
This setup allows the IT Support staff to move users between OUs while preventing them from creating or deleting user accounts. Therefore, it is technically possible and supported to configure these permissions in such a way that only the MOVE operation is allowed without granting create or delete permissions.