I would think that this kind of solution only works (or at least works well) in a situation where you don't delegate OUs.
In my case, for instance, we have offices that are quite remote from each other, and I have to delegate OUs for management purposes, and part of that is delegating the ability to add them to the domain. The batch file allows the remote staff to do this without our central staff (me, really) monitoring the Computers container to manyally move them when added. Probably not your situation, though. On 5/3/08, Sherry Abercrombie <[EMAIL PROTECTED]> wrote: > We're attempting to resolve some "management" issues with the hd/dt group > that is responsible for building out new workstations and deploying them. > We have delegated the ability and permissions to add computers to the domain > and they can move them to the proper OU, however, despite repeated requests > from us and our manager, this is not happening. Our manager has given us > the ok to apply a policy that locks down new computers shall we say > drastically, (ie, they can set the new workstation on a users desk, but > until they get it moved to the right OU, the user won't even be able to log > on to it, it can't be remoted, won't answer pings etc etc, it's like it > doesn't exist) that is what we're trying to accomplish here. Yes, we've > quoted the famous "there are rarely technological solutions for personnel > issues" to the manager, he agrees but asked us, the -+ > network admins for a way to force them to do their job. This will > accomplish that. So we make our manager happy, and the procedures already > in place are followed. > > My lead was getting rather frustrated yesterday with this, and couldn't find > the answer, he told me to find a way, even if I had to use ADSIEdit (he > calls me the adsiedit queen), I did a bit of Googling, wasn't finding > anything, obviously didn't have the right wording down, so I asked you guys > and once again you've made me look like the genius. So a big THANK YOU, > when I left work yesterday he was already diving into that KB and probably > has it ready to go by now. There was even a slightly evil, maniacal laugh > to go along with it.....from both of us. What can I say, we like using AD > to make people comply. HE HE HE. > > > On Sat, May 3, 2008 at 5:38 AM, Fuller, Bob <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Sherry, > > > > > > > > While you cannot apply a GPO directly to the COMPUTERS default OU, > remember, it is a nested OU, underneath the domain root. Placing a computer > based policy at the domain root will trickle to PCs inside COMPUTERS as > well. I'm sure you're thinking it, you must be careful to properly secure > the GPO placed at the root of the AD domain, as to not lock down the entire > AD. > > > > > > > > Do remember though, from a fresh build or image deployed box , a PC will > likely need a reboot or three before it absorbs and applies the policy, > nothing is instant about GPOs and XP boxes—which is usually pleanty of time > to either use a batch process that moves the computer object, or redirect to > another OU as suggested by Ed. The problem that I don't like about changing > the default ou---some software, somewhere, someday is going to expect > COMPUTERS like it is now, plus, when you build your next server, guess where > it'll go too? > > > > > > > > Overall, while not the most elegant of solutions, it's one that I fall > back to everytime---running a script/batch as suggested by Kurt. > > > > > > > > Bob > > > > > > > > > > > > > > From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, May 02, 2008 1:10 PM > > To: Active Directory Admin Issues > > > > Subject: Adding New Computer to Domain > > Sent: Friday, May 02, 2008 1:10 PM > > To: Active Directory Admin Issues > > > > Subject: Adding New Computer to Domain > > > > > > > > > > > > > > Is there a way to change the default OU that new computers are > automatically added to when joined to an active directory domain? > > > > We are looking to add a group policy that basically locks down a computer > as soon as it's added to the domain, and then move the computer to an OU > that has the policy that it should receive based on who/what/where. You > cannot add a group policy to the default Computers OU. So far Googlefu > hasn't yielded anything. > > > > TIA, > > > > -- > > Sherry Abercrombie > > > > "Any sufficiently advanced technology is indistinguishable from magic." > > Arthur C. Clarke ~ NEW: CounterSpy Enterprise: Centralized Antispyware - > #1 in eWEEK Test! ~ > > ~ ~ > > > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > > ~ ~ > > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 > in eWEEK Test! ~ ~ ~ > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
