Delegating Administrative rights to OU's

G

Guest

Hello

We would like to allow our desktop support staff the rights to manage
several OU's in our AD structure. Particularly we would like our support
staff to have the ability to manage computer and user accounts.

Currently, when new computer accounts are created they are installed by
default in the Computers container at he root of the domain. We might be
interested in changing the default location of computer accounts when created
if we will not be able delegate rights to this container. (technically, this
is not an OU?) Our desktop support staff needs to be able to move computer
acocunts to the appropriate OU once created. We would also like them to be
able add, delete, reset, and move computer accounts to the respective OU's
that they need access to as well as user accounts.

I guess my question would be can we delegate rights to the default computer
and user containers at the root of the domain? Also, can we change the
default location of where computer accounts are created?, if necessary. I did
find an article that mentioned briefly delegating rights to the two
containers via AD Sites & Services, is this right?

Thank you very much for your assistance.

Mark Clark
 
C

Cary Shultz [A.D. MVP]

Mark,

Another way to do this right off the bat is to create a shared network
folder in which you have the I386 folder ( and possibly slipstreamed Service
Pack - as well as other things ) and use a Network Boot Disk ( like the one
from Bart...his is modular and extremely AWESOME to work with ) and change
the location of the computer account object in the answer file. I have done
this several times....

You could use RIS but I do not believe that you can change the location of
the computer account object......so kinda a stupid suggestion!

If you are running WIN2003 then you can use the REDIRCMP and REDIRUSR, as
Ryan suggested.

So, if you want the help desk people to be able to do all these things it
might be a good idea to use the Bart's Modular Network Boot Disk suggestion,
creating the computer account objects in a 'default temporary' OU and
delegate things as appropriate.

You are correct in that you can not do much with the default USERS and
default COMPUTERS container. These are containers and not OUs. A container
is a sub-set of an OU and is not available to all of this 'neat stuff'
generally speaking.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
J

Joseph Hume

Hi

FWIW At my last post, The moving of computers from the default to where
it needed to be was my job as the Network Administrator. I have a
script that runs on my desktop that watches the Computer Container in
active directory that sounds a warning if a computer is added to the
domain. Consequentially, when an alarm sounds I am on the phone asking
questions if I wasn't informed before hand that a new computer was
coming online.

Once the computers where moved to their new home, then our network
technicians took over so they could work their magic on the box's.

Joseph
 
R

Ryan Hanisco

WOW... that does not sound like a fun job. I'd rather just automate to a
default OU.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegating Rights 1
delegating ADD computer rights to helpdesk 1
groups and OU's in ad 3
Active Directory structure - OU's 2
Rights needed to move user between ou's 1
Delegating Add computer rights 1
unable to move computer between ou's 1
Groups and OU's 3

Top