Thanks for the information. That might work here, but folks are used to being able to snap computers in and out of the domain, and then move them to there assigned OU's accordingly, as a method of troubleshooting, to have them pre-create the workstations accordingly, is going to add another setup, and might create some head-aches for them process wise.
I know about the re-direct functionality of the computers and users containers, to a OU of choice in Win 2k8/R2 DFL/FFL, was thinking about that and just granting them access on that, which would probably do the same thing. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: [email protected] [mailto:[email protected]] On Behalf Of Brian Arkills Sent: Friday, July 29, 2011 5:24 PM To: [email protected]; NT System Admin Issues Subject: RE: [ActiveDir] Delegation of Control in Windows 2008 R2 DFL/FFL questions Computers don't have to be joined via the default computers container. You can pre-create the computer account in its final destination, then perform the domain join. We have a shared domain with "delegated OUs" for many units. We tell our OU admins they must pre-create all computer accounts, grant them computer account creation perms in their OU, and delegate the 'Join computer to domain' user right. We then redirect default computer joins to a "Dagobah Swamp" OU. On that "Dagobah Swamp" OU, we set a GPO which displays an unpleasant Logon Banner with a URL to the documentation about how to join a computer, and that GPO also removes all logon locally users rights (except to the central IT folks). With each new delegated OU about half the time they will end up with a computer in the swamp, which we manually fish out and move over to their OU, but after that, they learn their lesson and pre-create the computer account. This has worked out very well, and we haven't had any problems with it. From: [email protected] [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Friday, July 29, 2011 1:09 PM To: NT System Admin Issues Cc: [email protected] Subject: [ActiveDir] Delegation of Control in Windows 2008 R2 DFL/FFL questions To the list, Been reading up on delegation of control wizard, and it seems that it can be customized as per http://support.microsoft.com/kb/308404 And there are additional templates in the following document: Best Practices for Delegating Active Directory Administration Appendices http://www.microsoft.com/download/en/confirmation.aspx?id=20145 Can these be applied through the Windows 7 RSAT tools to a Windows 2008 R2 DFL/FFL domain? Secondly, does anyone have the specific permissions that need to be granted to the Computers Container so that a specific group can join computers to the domain ( and pop them out) as needed, so I can remove these users from Domain Admins. ( I know create and delete computer objects is needed, but I am sure there are a few others I don't know about) The same set of users would be moving the computer accounts to other OU's which they will have read/write access too accordingly. I also got this off Jorge's Blog http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx (Right now in Windows 7, the Delegwiz.inf file in the c:\windows\system32 directory and not in %windows%\inf as stated. Does this section just need to be added to the delegwiz.inf file and save it and it shows up in the ADUC MMC snapin when doing delegation of control next time? This way you can delegate the creation of computer accounts to group1 and the joining of the computers to group2. It is also however possible you have a group of people who create computers accounts and also join them. To able so everyone in that group can create a computer accounts and join the computers to the domain independent who created the computer accounts replace TEMPLATE 6 with what is mentioned below or perform the delegate twice with the additional task created above! If you want to join a computer to the domain in a specific OU and the computer account has not been pre-created you cannot use the GUI at the computer. For this you must use the tool NETDOM so you can specify the OU the computer account must reside in! The latter only is only possible when you at least have the right to create a computer object in the designated OU. Joining will also be possible because you automatically become the owner of the computer account! ;---------------------------------------------------------- [template6] AppliesToClasses = domainDNS,organizationalUnit,container Description = "Add and/or join a computer to the domain in an OU (computer)" ObjectTypes = SCOPE, computer [template6.SCOPE] ;Right to create computer objects computer=CC [template6.computer] ;Right to join computers to domain CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions" Thanks for the replies in advance, EZ Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image004.jpg>>
<<image001.jpg>>
