I prefer to keep them in seperate trees. In fact we are just doing that at present...
________________________________
From: [EMAIL PROTECTED] on behalf of Alberto Oviedo
Sent: Thu 21/09/2006 17:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs computers with AD
Thanks for your help. really useful.
Is it a good practice to move computer objects to OU where the user of the
computer resides?
On 9/20/06, Dave Wade <[EMAIL PROTECTED]> wrote:
Alberto,
Even though we made our users "PowerUsers" we found that we needed
to make a number of "tweaks" to cater for poorly written applications. I think
we now have about a dozen settings for various ill-behaved applications. The
majority of these are to cater for applications that write to places on the "C"
drive (other than the windows folders, of course) where applications should not
write. We also refreshed permissions on the "all users" profile to make sure
users don't delete items from the "all users" desktop or start-menu.
I guess the last thing to note is that we rolled the policy out in
manageable chunks of PCs, say 100 at a time, so if there were issues we could
cope with the service calls,
Hope this is useful,
Dave.
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al
Mulnick
Sent: 20 September 2006 14:13
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Assign User rights overs computers with AD
You can, but I've yet to see it be so simple. The information you're
looking for is "restricted groups" but I HIGHLY advise you to be careful and to
TEST that prior to using it on your workstations. I also highly advise that
you only apply that type of setting to workstations and not on servers
(separate them into different OU's).
Another way to do this is with a logon script that adds an account to
the local administrators group and removes the user from that group.
The testing is a way to ensure that you don't break applications on the
workstations. Some of the more poorly written applications require special
access and as a default prefer administrative access rights. They work poorly
without them. You'll want to test thoroughly so that you can remove the
unneeded rights and still allow your user community to work as expected.
I'm sure there's more cautions I can suggest, but you get the idea.
On 9/20/06, Alberto Oviedo <[EMAIL PROTECTED] > wrote:
Hello. My name is Alberto, I'm from Nicaragua
In our company the support team has granted every user
administrator rights over their workstation, We recently migrated to Windows
2003 AD and I want to revoke the privileges tha users have on their computers.
Can I do this through AD? It's around 300 users and I don't want to visit
every single one of them.
Thanks for your help.
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to
disclose this email, or any response to it, under the Freedom of Information
Act 2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport e-Services
via [EMAIL PROTECTED] and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
<<winmail.dat>>
