Always there to help trust me I am warring with my desktop admins having higher level of access than the need in domain. We just took care of the helpdesk only because an audit helped that across the way.
too bad the politics are a little rough here to doa brute force you need to do your jobs etc etc approach. Z ----- Original Message ----- From: Sherry Abercrombie <[EMAIL PROTECTED]> To: Active Directory Admin Issues <[email protected]> Sent: Sat May 03 09:16:31 2008 Subject: Re: Adding New Computer to Domain We're attempting to resolve some "management" issues with the hd/dt group that is responsible for building out new workstations and deploying them. We have delegated the ability and permissions to add computers to the domain and they can move them to the proper OU, however, despite repeated requests from us and our manager, this is not happening. Our manager has given us the ok to apply a policy that locks down new computers shall we say drastically, (ie, they can set the new workstation on a users desk, but until they get it moved to the right OU, the user won't even be able to log on to it, it can't be remoted, won't answer pings etc etc, it's like it doesn't exist) that is what we're trying to accomplish here. Yes, we've quoted the famous "there are rarely technological solutions for personnel issues" to the manager, he agrees but asked us, the -+ network admins for a way to force them to do their job. This will accomplish that. So we make our manager happy, and the procedures already in place are followed. My lead was getting rather frustrated yesterday with this, and couldn't find the answer, he told me to find a way, even if I had to use ADSIEdit (he calls me the adsiedit queen), I did a bit of Googling, wasn't finding anything, obviously didn't have the right wording down, so I asked you guys and once again you've made me look like the genius. So a big THANK YOU, when I left work yesterday he was already diving into that KB and probably has it ready to go by now. There was even a slightly evil, maniacal laugh to go along with it.....from both of us. What can I say, we like using AD to make people comply. HE HE HE. On Sat, May 3, 2008 at 5:38 AM, Fuller, Bob <[EMAIL PROTECTED]> wrote: Sherry, While you cannot apply a GPO directly to the COMPUTERS default OU, remember, it is a nested OU, underneath the domain root. Placing a computer based policy at the domain root will trickle to PCs inside COMPUTERS as well. I'm sure you're thinking it, you must be careful to properly secure the GPO placed at the root of the AD domain, as to not lock down the entire AD. Do remember though, from a fresh build or image deployed box , a PC will likely need a reboot or three before it absorbs and applies the policy, nothing is instant about GPOs and XP boxes—which is usually pleanty of time to either use a batch process that moves the computer object, or redirect to another OU as suggested by Ed. The problem that I don't like about changing the default ou---some software, somewhere, someday is going to expect COMPUTERS like it is now, plus, when you build your next server, guess where it'll go too? Overall, while not the most elegant of solutions, it's one that I fall back to everytime---running a script/batch as suggested by Kurt. Bob From: Sherry Abercrombie [mailto:[EMAIL PROTECTED] Sent: Friday, May 02, 2008 1:10 PM To: Active Directory Admin Issues Subject: Adding New Computer to Domain Is there a way to change the default OU that new computers are automatically added to when joined to an active directory domain? We are looking to add a group policy that basically locks down a computer as soon as it's added to the domain, and then move the computer to an OU that has the policy that it should receive based on who/what/where. You cannot add a group policy to the default Computers OU. So far Googlefu hasn't yielded anything. TIA, -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ ~ ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
