Yep best to script this.
Last place I was an ops guy for, we wrote an entire create
ou script. You told it what domain and the building number and it did the rest,
built all of the OUs structures needed, created all of the groups, put into
place all of the delegations, linked the proper group policy objects, etc. We
then wrapped that script in another script and when a batch request came in for
say 20 new buildings being added to AD we fired off one command (something like
buildous domain filename) and off it would run building them all. A little while
later it would be finished and the admin doing the work was off working on and
closing 5, 10,15 other request tickets. Best part was that it had error checking
and made sure everything was done correctly so you KNEW for absolute certain
that it was configured properly. Another great part was that if we made a change
to the structure or delegation we could rerun the script across all of the
existing building numbers and it would make all of the necessary
adjustments.
Of course if you have a completely ad hoc AD design it is
hard to do something like that, but that is a good argument to not have an
ad hoc design, right after the confusion doing things ad hoc
causes.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, August 03, 2005 6:48 AM
To: [email protected]
Subject: RE : [ActiveDir] Distribute a "template delegation".
Hi Jorge and Brian
:)
Thanks for answer.
I thought indeed at dsacls, but i was
hoping there was a way natively or an add-on to AD to do
this task.... :(
Thinking of a file such as delegwiz.inf
that could be modified with my own settings and then be applied in one time to
my OUs.
Never mind, thanks for suggestions and have
a nice day :)
Regards,
Yann
De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de
Date: mer. 03/08/2005 12:18
À: [email protected]
Objet : RE: [ActiveDir] Distribute a "template delegation".
Yep, the tool you mention can
do that because natively through AD it is not possible.
However you could do with scripting and
some of the free tools around
Use could use a _vbscript_ (see script
repository from MS) to create all groups and with DSACLS you can assign
permissions to the group on a certain OU
Cheers,
#JORGE#
From: [EMAIL PROTECTED] on behalf of TIROA YANN
Sent: Wed 8/3/2005 11:54 AM
To: [email protected]
Subject: [ActiveDir] Distribute a "template delegation".
Hello all :)
I have more than 70 OUs.
In each of them, I create a group, say AdminGroup
with one or more users into it.
In OU1, i've then delegated to AdminGroup1 the
rights to only view certains attributes, and write others, create certains types
of objects such as groups, computers.
I would not like to the same procedure for each of
my 69 OUs... :(
So is there a way to create a "delegation template"
and apply it to my whole OUs such as Active Roles from Quest do it with its
"Business Roles" ?
Thanks for your input,
Yann
