Re: Domain and OU Permissions

From: Arild Bakken (arildb__at_hotmail.com)
Date: 09/02/04 

Date: Thu, 2 Sep 2004 12:45:50 +0200

1. Use a VB script - you'll find examples on technet scriptcenter. Should be
about 15-30 lines of code (depending on how tidy the script is)

2. Well - what kind of admin account? You'll need to check with the Product
vendor and ask them what privileges the account needs. If it's only local
admin on the computers receiving the software, then you'll be good after
you've fixed that.

It may be that they need access to a specific file area, it may be access to
certain objects in AD etc etc. Bottom line is, figure out what the account
need access to, create a securitygroup that has that access and add the user
to that group.

If, on the other hand, the AV product checks to see if the user is a member
of the Domain Admins group, then that's what you'll need to do - add the
account to the Domain Admins group. I seriously doubt that's what they're
doing though - and if they do - then this is definately not the product of
choice for doing the roll-out.

Arild

"Mauler" <Mauler@discussions.microsoft.com> wrote in message
news:07B39809-197F-4C8E-8F71-7093914C4A56@microsoft.com...
> Is there a way to get france.admin into the local admin group without
> going
> around each PC to do it?
>
> The managed software is an Anti-Virus product. It requires an admin
> account
> to roll it out to each machine remotely.
>
>
>
> "Arild Bakken" wrote:
>
>> 1. Only members of local administrators group can add other members to
>> local
>> administrator group. So if your france.admin is member of local
>> administrators group on the computer, he can add other members.
>>
>> 2. When you say "roll-out managed software" - what tool are you using?
>> You'll need to configure the administrative permissions of that roll-out
>> tool in order to perform that action.
>>
>>
>> Arild
>>
>>
>> "Mauler" <Mauler@discussions.microsoft.com> wrote in message
>> news:AADA4644-5EB8-450B-BDFF-D0DA42139123@microsoft.com...
>> > Is there a way for the admin user (eg, france.admin) assigned to the
>> > geographical OU (eg, France) can add users to the local administrators
>> > group
>> > on machines? At the moment only the domain administrator can do it.
>> >
>> > Also, the administrator of the geographical OU needs to roll-out
>> > managed
>> > software. However, only the domain administrator seems to have
>> > privilages
>> > to
>> > do this. Is there a way around this?
>> >
>> > "Paul Bergson" wrote:
>> >
>> >> You are going to have to create a global group for each geographical
>> >> location, place the ou admins in that group and place global group in
>> >> the
>> >> local admins group. No other way that I know of.
>> >>
>> >> --
>> >>
>> >> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>
>> >>
>> >>
>> >> "Mauler" <Mauler@discussions.microsoft.com> wrote in message
>> >> news:E9D6468D-A3EC-4F58-B349-CC461C5005CC@microsoft.com...
>> >> > I've got a situation where I have several OUs (uk, france, etc) and
>> >> > each
>> >> of
>> >> > them has its own admin account delegated to it. The problem is that
>> >> > on
>> >> local
>> >> > machines only the domain admin (and not the OU admin) can make a
>> >> > user a
>> >> > member of the local admin group. Furthermore, only the domain admin
>> >> > group
>> >> can
>> >> > install software on these local machines too. Is there a way so that
>> >> > the
>> >> > admin accounts assigned to the OUs (above mentioned) can have
>> >> permission(s)
>> >> > to install software and add user to admin groups locally?
>> >>
>> >>
>> >>
>>
>>
>>

Loading