We had gone through the delegation route before, in my current company. We have a group of Engineers that stage and restage computers on a daily basis. Even with the normal prestaging and a lot of educations, somehow the "normal" route did not work adequately for our "unique" requirements. What I have done is put a web front-end to a script that users now use to accomplish this task. This is how we did it (sorry for the length of the explanation): Create an account that has the specific delegation/permission to add/remove computer objects. Create an ASP (essentially a vbscript doing LDAP) page/application on a webserver Protect the application such that only a certain group of users can log into it (we are lucky that we use only IE here, so we use Integrate Windows authentication for the website) When a user logs into the site, we get their login credentials, do a quick query for their Site(physical location) and OU The user enters the name of the computer they want to create. The application uses LDAP, using the credentials of the account that has the delegation (the username and password are stored in a SQL DB), and the applications creates the computer object in the Computer OU of the User's OU. The application then applies the relevant permissions and grants the user the rights to add THAT computer to the domain. The user then goes to the computer and simply join it to the domain. There is more behind the scene stuffs that happens overall, but the above is the general outline. It took a while to get the application in place, but now that it is place, a login and a computer name is all it takes for any authorized user to add computers to their own OU. We also have the Administrators' version, where the admin can specify the OU in which they want to create the computer. I am not sure if posting lenghty code snippets will be welcome here. So, Chris, you can hook up with me offline if you would like to see the code. Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Wed 7/16/2003 4:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Adding machines to OU directly Mayet, What you will likely need to do is to proceed along the following lines: 1. Right click on the OU of your choice and go to Security. 2. Select Advanced / Add / Select the group that you want to accomplish the task 3. By default, they should have READ, etc. Scroll down and select Allow Create / Delete Computer Objects 4. In the 'Apply on to:' dialog, select This Object and All Child Objects. Hit 'Apply' to save what we have so far. 5. Click 'Add' again in the Advanced Security dialog UI. Select the group for the task (same group as above). 6. In the 'Apply on to:' select 'Computer Objects' and grant Full Control 7. Click 'OK' until you completely exit This should do the following: Allow the selected group to Create and Delete Computer Objects within the OU in which this delegation was done (yep - still delegation - not done through the Delegate Control selection, but this *IS* what goes on behind the scenes anyway....), then we delegated the permission to fully control Computer Objects - allowing the ability to create the various attributes that make up a computer object - but only computer objects, and nothing else. As you go through this exercise, it's interesting to note how many permissions are associated with these objects. Notice that there is a properties tab, too! This is what allows one to change the name, etc., of an object as this is a property of the object. Take your time as you go through this. If you get a grasp of what happens in this delegation, then the rest of your permissions tasks will be much easier. Good luck! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y Sent: Wednesday, July 16, 2003 11:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly Well seeing this discussion has started I would like to throw a curve ball. In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU. I have delegated the following permission over "Computer Objects" to "Add and Remove computer objects" The problem I am experiencing is that if the computer account already exists in the OU the error received is "access Denied" Thanks in advance Yusuf ________________________________ From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PM To: [EMAIL PROTECTED] You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (<plug>Oh, yeah, my company has one.</plug>) Kevin Sullivan Aelita Software www.aelita.com ________________________________ From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AM To: [EMAIL PROTECTED] I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights. Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC Contractor Sent: Wednesday, July 16, 2003 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how. Brandon -----Original Message----- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding machines to OU directly Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated...... Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 __________________________________________________________________________________________________________________________________ For information about the Standard Bank group visit our web site <www.standardbank.co.za> __________________________________________________________________________________________________________________________________ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___________________________________________________________________________________________________________________________________
<<winmail.dat>>
