I have created a Computer account in OU=AutoCreatedVMs,OU=Computer. I have allowed the AD Group Join-Move-Delete VMs to Create/delete Computer objects in OU AutoCreatedVMs:
I have an account called svc_jenkins and made it a member of AD Group Join-Move-Delete VMs.
I can't delete VMs from that OU when logged on as svc_jenkins:
PS C:\> gci env:username
Name Value
---- -----
USERNAME svc_jenkins
PS C:\> Get-ADComputer test
DistinguishedName : CN=test,OU=AutoCreatedVMs,OU=Computer,DC=duck,DC=loc
DNSHostName :
Enabled : True
Name : test
ObjectClass : computer
ObjectGUID : 7dd3b09a-d079-467a-b69f-90a2e30c363d
SamAccountName : TEST$
SID : S-1-5-21-1075642099-280362434-2919291742-3630
UserPrincipalName :
PS C:\> Get-ADComputer test|Remove-ADComputer -Confirm:$False
Remove-ADComputer : Access is denied
At line:1 char:21
+ Get-ADComputer test|Remove-ADComputer -Confirm:$False
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (CN=test,OU=Auto...,DC=duck,DC=loc:ADComputer) [Remove-ADComputer], Un
authorizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Manag
ement.Commands.RemoveADComputer
Any ideas what I've done wrong? Domain controller is Windows Server 2012 R2.
UPDATE I tried it again 20 minutes later and it worked. Nothing else changed.
If Powershell was already running as the service account when you added it to the group, that group membership wouldn't have applied to that session. Did you perhaps open a new Powershell session later when it worked?
You have more than one domain controller?
My guess is that the MMC was connected to one DC and you (or the powershell) tried to remove the computer object on the other, just before the security setting was replicated.
When you tried 20 minutes later, it was replicated granting you the permission.