I was right, my lead had this done before 5pm Friday. I left at 3:30pm, the email that it was done went out @4:49pm, the restrictive group policy will be applied Monday. Ha, life is good.
Thanks again!! On Sat, May 3, 2008 at 1:14 PM, Ziots, Edward <[EMAIL PROTECTED]> wrote: > Always there to help trust me I am warring with my desktop admins having > higher level of access than the need in domain. We just took care of the > helpdesk only because an audit helped that across the way. > > too bad the politics are a little rough here to doa brute force you need > to do your jobs etc etc approach. > > Z > > ----- Original Message ----- > From: Sherry Abercrombie <[EMAIL PROTECTED]> > To: Active Directory Admin Issues <[email protected]> > Sent: Sat May 03 09:16:31 2008 > Subject: Re: Adding New Computer to Domain > > We're attempting to resolve some "management" issues with the hd/dt group > that is responsible for building out new workstations and deploying them. > We have delegated the ability and permissions to add computers to the domain > and they can move them to the proper OU, however, despite repeated requests > from us and our manager, this is not happening. Our manager has given us > the ok to apply a policy that locks down new computers shall we say > drastically, (ie, they can set the new workstation on a users desk, but > until they get it moved to the right OU, the user won't even be able to log > on to it, it can't be remoted, won't answer pings etc etc, it's like it > doesn't exist) that is what we're trying to accomplish here. Yes, we've > quoted the famous "there are rarely technological solutions for personnel > issues" to the manager, he agrees but asked us, the -+ > network admins for a way to force them to do their job. This will > accomplish that. So we make our manager happy, and the procedures already > in place are followed. > > My lead was getting rather frustrated yesterday with this, and couldn't > find the answer, he told me to find a way, even if I had to use ADSIEdit (he > calls me the adsiedit queen), I did a bit of Googling, wasn't finding > anything, obviously didn't have the right wording down, so I asked you guys > and once again you've made me look like the genius. So a big THANK YOU, > when I left work yesterday he was already diving into that KB and probably > has it ready to go by now. There was even a slightly evil, maniacal laugh > to go along with it.....from both of us. What can I say, we like using AD > to make people comply. HE HE HE. > > > On Sat, May 3, 2008 at 5:38 AM, Fuller, Bob <[EMAIL PROTECTED]> wrote: > > > Sherry, > > > > While you cannot apply a GPO directly to the COMPUTERS default OU, > remember, it is a nested OU, underneath the domain root. Placing a computer > based policy at the domain root will trickle to PCs inside COMPUTERS as > well. I'm sure you're thinking it, you must be careful to properly secure > the GPO placed at the root of the AD domain, as to not lock down the entire > AD. > > > > Do remember though, from a fresh build or image deployed box , a > PC will likely need a reboot or three before it absorbs and applies the > policy, nothing is instant about GPOs and XP boxes—which is usually pleanty > of time to either use a batch process that moves the computer object, or > redirect to another OU as suggested by Ed. The problem that I don't like > about changing the default ou---some software, somewhere, someday is going > to expect COMPUTERS like it is now, plus, when you build your next server, > guess where it'll go too? > > > > Overall, while not the most elegant of solutions, it's one that I > fall back to everytime---running a script/batch as suggested by Kurt. > > > > Bob > > > > > > From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]<[EMAIL PROTECTED]> > ] > > Sent: Friday, May 02, 2008 1:10 PM > > To: Active Directory Admin Issues > > Subject: Adding New Computer to Domain > > > > Is there a way to change the default OU that new computers are > automatically added to when joined to an active directory domain? > > We are looking to add a group policy that basically locks down a > computer as soon as it's added to the domain, and then move the computer to > an OU that has the policy that it should receive based on who/what/where. > You cannot add a group policy to the default Computers OU. So far Googlefu > hasn't yielded anything. > > TIA, > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from > magic." > Arthur C. Clarke > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in > eWEEK Test! ~ > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in > eWEEK Test! ~ > ~ ~ > > > > > -- > Sherry Abercrombie > > "Any sufficiently advanced technology is indistinguishable from magic." > Arthur C. Clarke > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! > ~ > ~ ~ > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ > ~ ~ > > -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
