Re: restrict delegated admins to create computer accounts in AD

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 09/25/04 

Date: Sat, 25 Sep 2004 12:14:30 +0100

The way to do this is to create security groups (domain local) and give
those groups an advanced write permission(s) to the OUs they represent, e.g.
OU=UK, Domain Local Security Group = ouUK, and then add users to a global
group and add that group to the domain local.

Now, any users added to the global groups that are members of the
appropriate local groups will be able to prestage computer accounts in their
OUs. These computers can then be joined to the domain and will be members
of the appropriate OU -as the computer will recognise it's prestaged
account.

The exact permissions required are:
 -- Create Computer Objects
 -- Delete Computer Objects

To access these permissions, use the advanced DACL editor on the OU you wish
to make this change on.

These permissions can also be set through the delegation of control wizard.

Paul Williams
_______________________________
 http://www.msresource.net

Join us in our free, public forum:
 http://forums.msresource.net
_______________________________
"umut cavusoglu" <umutcavusoglu@discussions.microsoft.com> wrote in message
news:69E246B2-80F8-4066-8258-BB5680E9FAAF@microsoft.com...
i need help to restrict my sub-admins those distributed across different
locations to create or to pre-stage limited computer accounts -not add
computers to domain- in AD hierarchy?

Relevant Pages

  • Re: restrict delegated admins to create computer accounts in AD
    ... If you wish these people a maximum number of machines to be added, ... no more than 50 computer accounts with DACL settings allowed??? ... "ptwilliams" wrote:> The way to do this is to create security groups and give> those groups an advanced write permissionto the OUs they represent, ... > The exact permissions required are:> -- Create Computer Objects ...
    (microsoft.public.windows.server.active_directory)
  • Re: Adding workstations to domain
    ... group to add computer accounts to the domain but no other users on the ... You can also grant these permissions on an OU to a group, ... click the Security tab (Advanced features may need to be enabled ... View/Edit, on the Apply onto pulldown select Computer objects, and allow the ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory domain joining rights ..
    ... And similar permissions in the OU where these created computer accounts will ... the user will have to have local administrative rights ...
    (microsoft.public.windows.server.active_directory)
  • Re: Folder Permissions.
    ... With this createed security groups you set NTFS/share permissions on the folders where your files are located, ... Security groups can create 'conflicts' if some user accunts are members of multiple security groups that are used with concurrent permissions on your data folders/shares. ... If this is clear and your folder permission are not really to understand for you, i would create a new folder structure on a new shared fodler and copy data to the new structure where the permissions set as needed in the company, which is now done with your own created new security groups. ... More or less the same way you can use to built a new OU structure with new GPOs and move the users/computers to them, of course you have to test all new structures before with test accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: join domain/create computer accounts... driving me NUTS!
    ... the RIGHT way to do this is to simply give "create/delete computer object" ... Then give full control permissions to ... > one group that pre-creates computer accounts in the correct OU ... > one group that pre-creates computer accounts in the correct OU and joins ...
    (microsoft.public.windows.server.active_directory)