Active Directory - Moving AD Objects with Powershell

Gday Everyone,

I am hoping there is a AD Permission + Powershell wizard in here, I am trying to write a script to automate the moving of AD Objects (Specifically Computers in this case) from One OU to another with the MDT service. The specific issue I am trying to solve is with MDT’s Domain unattend.xml install not moving the computer if it already exists in AD event with the MachineObjectOU Parameter defined.

To this end I have created a script “moveou.ps1” that the machine being reimaged will call a machine with PS AD Installed in order to set the location.

Param
(
	[parameter(mandatory=$true,HelpMessage="Please, provide the organization unit to be used.")][ValidateNotNullOrEmpty()]$TargetOU,
	[parameter(mandatory=$true,HelpMessage="Please, provide the MDT Server to be used.")][ValidateNotNullOrEmpty()]$Server,
	[parameter(mandatory=$true,HelpMessage="Please, provide the Username to Connect to MDT Server.")][ValidateNotNullOrEmpty()]$User,
	[parameter(mandatory=$true,HelpMessage="Please, provide the Password to Connect to MDT Server.")][ValidateNotNullOrEmpty()]$Password
)

$cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList ($User, (ConvertTo-SecureString -String $Password -AsPlainText -Force))
Invoke-Command -ComputerName $Server -Credential $cred -ScriptBlock {
	Get-ADComputer $args[0] -Credential $Using:cred | Move-ADObject -TargetPath $args[1] -Credential $Using:cred
} -Args ($env:COMPUTERNAME, $TargetOU) 2>&1'

As for the security, I have created a service ad account that had delegated permissions via a group
I have one OU set with these instructions: Correct Domain Join Account Permissions - SCCM / MDT OS Deployment
and another permissions using a modified version (To Apply a Group Permission Rather then a user permission) of the Set-OUpermissions.ps1 from Github/the MDT Reference Manual

<#
Created:	 2013-01-08
Version:	 1.0
Author       Mikael Nystrom and Johan Arwidmark       
Homepage:    http://www.deploymentfundamentals.com

Disclaimer:
This script is provided "AS IS" with no warranties, confers no rights and 
is not supported by the authors or DeploymentArtist.

Author - Mikael Nystrom
    Twitter: @mikael_nystrom
    Blog   : http://deploymentbunny.com

Author - Johan Arwidmark
    Twitter: @jarwidmark
    Blog   : http://deploymentresearch.com
#>

Param
(
[parameter(mandatory=$true,HelpMessage="Please, provide a name.")][ValidateNotNullOrEmpty()]$Account,
[parameter(mandatory=$true,HelpMessage="Please, provide the organization unit to be used.")][ValidateNotNullOrEmpty()]$TargetOU
)

# Start logging to screen
Write-host (get-date -Format u)" - Starting"

# This i what we typed in
Write-host "Account to search for is" $Account
Write-Host "OU to search for is" $TargetOU

$CurrentDomain = Get-ADDomain

$OrganizationalUnitDN = $TargetOU+","+$CurrentDomain
$SearchAccount = Get-ADGroup $Account

$SAM = $SearchAccount.SamAccountName
$UserAccount = $CurrentDomain.NetBIOSName+"\"+$SAM

Write-Host "Account is = $UserAccount"
Write-host "OU is =" $OrganizationalUnitDN

dsacls.exe $OrganizationalUnitDN /G $UserAccount":CCDC;Computer" /I:T | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":LC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WD;;Computer" /I:S  | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;Name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;distinguishedName;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Reset Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Change Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to service principal name;Computer" /I:S # | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to DNS host name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN

The Resulting Permissions for my Staging OU (“LostAndFound”) are:

#LOST AND FOUND
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute
InheritanceType       : All
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute, WriteDacl
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       : All
ObjectType            : bf967a86-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : Self
InheritanceType       : Descendents
ObjectType            : f3a64788-5306-11d1-a9c5-0000f80367c1
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : Self
InheritanceType       : Descendents
ObjectType            : 72e39547-7b18-11d1-adef-00c04fd8d5cd
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ExtendedRight
InheritanceType       : Descendents
ObjectType            : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ExtendedRight
InheritanceType       : Descendents
ObjectType            : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

The Persmission for the standard Office OU is:

#OFFICE
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute
InheritanceType       : All
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute, WriteDacl
InheritanceType       : Descendents
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       : All
ObjectType            : bf967a86-0de6-11d0-a285-00aa003049e2
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : None

ActiveDirectoryRights : Self
InheritanceType       : Descendents
ObjectType            : f3a64788-5306-11d1-a9c5-0000f80367c1
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : Self
InheritanceType       : Descendents
ObjectType            : 72e39547-7b18-11d1-adef-00c04fd8d5cd
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ExtendedRight
InheritanceType       : Descendents
ObjectType            : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

ActiveDirectoryRights : ExtendedRight
InheritanceType       : Descendents
ObjectType            : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType   : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags           : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited           : False
InheritanceFlags      : ContainerInherit
PropagationFlags      : InheritOnly

Permissions where queried using the following command:

(Get-Acl -Path "AD:\[DN OF OU]").Access.Where({$_.IdentityReference -eq "[DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]"})

When I attempt to run moveou.ps1 from Office to Staging I get the following error:

Access is denied
    + CategoryInfo          : PermissionDenied: ([DN OF TEST MACHINE]) [Move-ADObject], UnauthorizedAccessException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.MoveADObject
    + PSComputerName        : [RSAT Access Server]

But if I move from Staging to Office, it works!.

I have confirmed based on the https://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx that both OU’s permissions required

What Have I missed?

Thank you for any assistance,

The Fat Hacker