Manage computers

G

Guest

I've created OU structure in my domain. Now I want that computers that are
moved to a specific OU have it’s own administrator. This administrator could
manage this computer, install programs… For default when a computer is joined
to a domain the Domain Admin group is added to Local Administrators group.
What I want is that after move a computer to a specific OU it assumes another
administrator.
Is this possible??
Does anyone know it??

Regards

Chico
 
C

Cary Shultz [A.D. MVP]

Hey Chico!

Take a look at using Restrictive Groups. Just be advised that when using
Restrictive Groups that all 'current' members of the local group in question
are flushed and that the group that you specify is added. There is a way to
change the behavior, however. Please look at the following two MSKB
Articles on how to do this:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

Are you sure that you do not want the Domain Admins to still be a member of
the local Administrators group for these specific computers? I might
rethink this.

HTH,

Cary
 
A

Andrew Mitchell

Cary Shultz said:
Hey Chico!

Take a look at using Restrictive Groups. Just be advised that when
using Restrictive Groups that all 'current' members of the local group
in question are flushed and that the group that you specify is added.
There is a way to change the behavior, however. Please look at the
following two MSKB Articles on how to do this:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

Are you sure that you do not want the Domain Admins to still be a member
of the local Administrators group for these specific computers? I might
rethink this.
Click to expand...

In addition to Carys comments, you should be looking at delegation of some
rights for the OU's in which these computers reside. This could be used to
allow 'administrators' of these OUs to create GPOs for such things as
application deployments, locking down desktops or any other settings they may
wish to perform on the OU as a whole.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/d
irectory/activedirectory/actdid1.mspx


Andy
 
G

Guest

Thanks Cary, it works fine, and i added the domain admins group also to local
administrators..

Best regards

Chico
 
C

Cary Shultz [A.D. MVP]

Great. You figured it out on your own. Usually, if you do not want to use
810076 then the way to ensure that the Domain Admins group is still a member
of the local Administrators group is to add two groups: yours and the Domain
Admins.

Glad to see that you did this!

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD for Multi tenancy 0
Move tree error 1
delegating ADD computer rights to helpdesk 1
Problem with restricted groups 3
Changing the default OU that new computers are created in 7
Require Computer object before joining Workstation 3
Restricted Groups 2
Restricted groups 1

Top