Re: Delegating permission to add computers to the domain

From: Jon Paskett (paskettj_at_email.NOSPAM.com)
Date: 03/27/04

  • Next message: b: "Re: Newbie Advice on Schema Change" 
    Date: Sat, 27 Mar 2004 12:41:40 -0500

    Thanks for the reply David,

    You are focusing on the Computers container. I understand that default
    behavior is that new computers are created in the Computers container. Can
    this be changed, based upon group membership, to automatically add them to a
    Computers OU located within their Parent? That is my ultimate goal. They can
    predeploy them, but I want to have the ability to automatically add them to
    the OU they are delegated permission to do so.

    Thanks for your help

    Jon

    "David Everett [MSFT]" <deverett@online.microsoft.com> wrote in message
    news:u%23MaYN3EEHA.4080@TK2MSFTNGP09.phx.gbl...
    > One minor change to Step 7....
    >
    > Instead of Editing the Existing rights, Add the user or group again to the
    > Advanced Security and click "Apply onto...". In the drop-down box select
    > Computer Objects and then set Allow on the following:
    > a. Read all Properties
    > b. Write all Properties
    > c. Change Password
    > d. Reset Password
    >
    > In the end they will have "Create Computer Objects" and "Delete Computer
    > Objects" on "This object and all child objects" and the 4 rights listed
    > above on "Computer Objects".
    > --
    > David Everett
    > Microsoft Corporation
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > "Jon Paskett" <paskettj@email.NOSPAM.com> wrote in message
    > news:up#ExIqEEHA.1544@TK2MSFTNGP11.phx.gbl...
    > > OS = Windows Server 2003
    > >
    > > I need to delegate permission to a group of users to add computers to
    the
    > > domain in their OU only. Creating a custom task allowing Object Type =
    > > Computer Objects, Create/Delete objects with Full Control Permission in
    > the
    > > custom delegation wizard. However, this does not allow group members to
    > add
    > > the computer to the domain. AD says user does not have permission.
    > >
    > > TIA
    > >
    > > Jon
    > >
    > >
    >
    >

  • Next message: b: "Re: Newbie Advice on Schema Change"

    Relevant Pages

    • Re: user have multiple PCs
      ... Groups of computers should work though I recommend using global groups. ... changing group membership of a computer note that you need to reboot the ... >> do not want it to apply to tech support then give tech support deny ... >> try changing the order of the GPOs in the list for the OU and configure ...
      (microsoft.public.windows.group_policy)
    • Re: how do I use LDAP for these?
      ... > computers but however I do not have enterprise or domain admin rights to ... Now I need to check for group membership for mapped drives. ... >> domain and instead put computers, ...
      (microsoft.public.scripting.wsh)
    • Re: Need tweak to prohibit creation of new shares
      ... Check their group membership. ... them to regular users if at all possible. ... Also do their computers really need to ... to manage their Computers Remotely then uninstall file and print sharing on them ...
      (microsoft.public.win2000.security)
    • Group Membership Problem
      ... I been reading about VBS scripting for group membership for ... login scripting for group membership but I like to know how ... If InStr(strGroup, ORGANIZATIONAL GROUP NAME) Then ... I got many computers who are added to the domain inside one ...
      (microsoft.public.windows.server.scripting)
    • Re: Delegating permission to add computers to the domain
      ... Delegation is needed, not on the Computers container. ... I don't believe sysprep joins machines to OUs where groups have been ...
      (microsoft.public.windows.server.active_directory)