LOL. When we first started looking at importing all of the resource objects into the master account domains after we realized the master/resource domain model just wouldn't work well we came up with that idea. Pissed a lot of people off when we finally got it implemented, people screaming and crying and saying we were shutting down their business and all sorts of stuff. There were a couple of times that I thought it was going to get overturned but it didn't. It really helps because it keeps people aware that there are standareds at all otherwise they just say, I didn't know.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, July 25, 2003 11:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Do you allow users to add computers to AD themselves? Too cool. I like this A LOT! And, *I'd* get fired in a heartbeat for doing it! :-D But, I still LIKE IT! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 25, 2003 10:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Do you allow users to add computers to AD themselves? We allow local site admins to create and join workstations. We require them to submit tickets to the domain admins to create server objects. We have a script that scans the domains and if we find server objects in workstation OU's (i.e. not created by the domain admins) we put them in jail - i.e. an OU only enterprise admins have access to and wipe the ACL on the server object and disable it. It prevents them from using it and reusing the name. Also if we find workstations not following the standards we jail them as well. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, July 25, 2003 7:04 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Do you allow users to add computers to AD themselves? We're having some internal debates at work and I'm curious how other people do it and their reasons. I know authenticated users can add up to 10 computers to AD, but do you leave it at that or restrict it to some type of admin group? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/