I went with putting a group into the default domain GPO that was able to add machines. I did that originally because I had been told that the office manager needed to add machines as they arrived. Shortly after that I management told me never mind the office manager did not want the extra work. Left the group in there and only put the two non-admin user id's of us that would be adding machines into it. We had DA status but when moving machines around the office we used our regular accounts. These were usually stored machines that were way out of production kept for emergencies.
Jon On Fri, Jul 29, 2011 at 4:08 PM, Ziots, Edward <[email protected]> wrote: > To the list,**** > > ** ** > > Been reading up on delegation of control wizard, and it seems that it can > be customized as per **** > > http://support.microsoft.com/kb/308404**** > > ** ** > > And there are additional templates in the following document:**** > > Best Practices for Delegating Active Directory Administration Appendices** > ** > > http://www.microsoft.com/download/en/confirmation.aspx?id=20145**** > > ** ** > > Can these be applied through the Windows 7 RSAT tools to a Windows 2008 R2 > DFL/FFL domain? **** > > ** ** > > Secondly, does anyone have the specific permissions that need to be granted > to the Computers Container so that a specific group can join computers to > the domain ( and pop them out) as needed, so I can remove these users from > Domain Admins. ( I know create and delete computer objects is needed, but I > am sure there are a few others I don’t know about) The same set of users > would be moving the computer accounts to other OU’s which they will have > read/write access too accordingly. **** > > ** ** > > I also got this off Jorge’s Blog**** > > http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx**** > > (Right now in Windows 7, the Delegwiz.inf file in the c:\windows\system32 > directory and not in %windows%\inf as stated. Does this section just need to > be added to the delegwiz.inf file and save it and it shows up in the ADUC > MMC snapin when doing delegation of control next time?**** > > ** ** > > This way you can delegate the creation of computer accounts to group1 and > the joining of the computers to group2. > > It is also however possible you have a group of people who create computers > accounts and also join them. To able so everyone in that group can create a > computer accounts and join the computers to the domain independent who > created the computer accounts replace TEMPLATE 6 with what is mentioned > below or perform the delegate twice with the additional task created above! > If you want to join a computer to the domain in a specific OU and the > computer account has not been pre-created you cannot use the GUI at the > computer. For this you must use the tool NETDOM so you can specify the OU > the computer account must reside in! The latter only is only possible when > you at least have the right to create a computer object in the designated > OU. Joining will also be possible because you automatically become the owner > of the computer account! > > ;---------------------------------------------------------- > [template6] > AppliesToClasses = domainDNS,organizationalUnit,container > > Description = "Add and/or join a computer to the domain in an OU > (computer)" > > ObjectTypes = SCOPE, computer > > [template6.SCOPE] > ;Right to create computer objects > computer=CC > > [template6.computer] > ;Right to join computers to domain > CONTROLRIGHT= "Reset Password","Validated write to DNS host > name","Validated write to service principal name", "Account Restrictions"* > *** > > ** ** > > Thanks for the replies in advance,**** > > EZ**** > > ** ** > > ** ** > > Edward E. Ziots**** > > CISSP, Network +, Security +**** > > Security Engineer**** > > Lifespan Organization**** > > Email:[email protected]**** > > Cell:401-639-3505**** > > [image: CISSP_logo]**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image002.jpg>>
