|
I do the exact same thing except I create and delete schools every
summer. We have a template structure for any school or business unit and an
associated delegation structure. I can whip up an OU for a unit very rapidly.
This solves the “I’m important. I need to be a domain admin.”
Problem in about twelve seconds. Create a uni group for admins of the environment,
add them to the group I have for computers cn control in the domain and whip up
their ou. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Yep best to script this. Last place I was an ops guy for, we wrote
an entire create ou script. You told it what domain and the building number and
it did the rest, built all of the OUs structures needed, created all of the
groups, put into place all of the delegations, linked the proper group policy
objects, etc. We then wrapped that script in another script and when a batch
request came in for say 20 new buildings being added to AD we fired off one
command (something like buildous domain filename) and off it would run building
them all. A little while later it would be finished and the admin doing the
work was off working on and closing 5, 10,15 other request tickets. Best part
was that it had error checking and made sure everything was done correctly so
you KNEW for absolute certain that it was configured properly. Another great part
was that if we made a change to the structure or delegation we could rerun the
script across all of the existing building numbers and it would make all of the
necessary adjustments. Of course if you have a completely ad hoc
AD design it is hard to do something like that, but that is a good argument to
not have an ad hoc design, right after the confusion doing things ad hoc
causes. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Hi Jorge and Brian :) Thanks for answer. I thought indeed at dsacls, but i was hoping there was a way
natively or an add-on to AD to do this task....
:( Thinking of a file such as delegwiz.inf that could be
modified with my own settings and then be applied in one time to my OUs. Never mind, thanks for suggestions and have a nice day :) Regards, Yann De: [EMAIL PROTECTED]
de la part de Almeida Pinto, Jorge de Yep, the tool you mention can do that
because natively through AD it is not possible. However you could do with scripting and some of the free
tools around Use could use a _vbscript_ (see script repository from MS) to
create all groups and with DSACLS you can assign permissions to the group on a
certain OU Cheers, #JORGE# From:
[EMAIL PROTECTED] on behalf of TIROA YANN Hello all :) I have more than 70 OUs. In each of them, I create a group, say AdminGroup with one
or more users into it. In OU1, i've then delegated to AdminGroup1 the rights to
only view certains attributes, and write others, create certains types of
objects such as groups, computers. I would not like to the same procedure for each of
my 69 OUs... :( So is there a way to create a "delegation
template" and apply it to my whole OUs such as Active Roles from Quest do
it with its "Business Roles" ? Thanks for your input, Yann |
