How to handle logon scripts for delegated OU's in the sysvol area?

[ed]

Here's the scenario:

Global organization, single service provider for forest and domain directory
services.
Many local IT groups who are delegated rights at the OU level to manage
their own objects (computers, users, etc)

Logon scripts need to be applied based on subsets of users in an OU.

We don't want to give write access to all the OU administrators due to
security, replication, disk storage considerations.

However, we don't want them to have to wait until the service provider
copies the new BAT file into their sysvol area.

Are there better ways to handle management of multiple logon scripts stored
in sysvol so they are automatically replicated to all DCs?

Second - Is there a way in the MMC or a resource kit tool (without scripting
an LDAP inquiry and doing a batch update) to select multiple users, and
change one of their attributes - an example being the logon script path and
file and it get updated to all selected objects? In NT4 user manager you
could do this...

Thanks in advance,

Ed

 

[Wolfgang Kais]

Hello "ed".

Here's the scenario:

Global organization, single service provider for forest and domain
directory services.
Many local IT groups who are delegated rights at the OU level to
manage their own objects (computers, users, etc)

Logon scripts need to be applied based on subsets of users in an OU.

Then you should create sub-OUs for the subsets of users.
And assign logon scripts on the OU level using GPOs.

We don't want to give write access to all the OU administrators
due to security, replication, disk storage considerations.

However, we don't want them to have to wait until the service
provider copies the new BAT file into their sysvol area.

Are there better ways to handle management of multiple logon scripts
stored in sysvol so they are automatically replicated to all DCs?

The logon scripts assigned in OUs are (the should) stored in a subfolder of
the GPO-template within the sysvol folder and thus is automatically
replicated between all DCs. The admins that manage the logon scripts must
have write access to the GPO.

Second - Is there a way in the MMC or a resource kit tool (without
scripting an LDAP inquiry and doing a batch update) to select multiple
users, and change one of their attributes - an example being the logon
script path and file and it get updated to all selected objects?
In NT4 user manager you could do this...

....and in Windows Server 2003, the console has re-learned that. You could
use the Windows Server 2003 Administrative Tools (adminpak.msi) on a
Windows XP Sp1 Workstation.
But I think it's easier to use the GPO method.

 

[ed]

Hi Wolfgang,

Thanks for your response - we did look at creating sub-OU's and you are
correct, it is a possibility worth re-considering. However we are trying to
avoid that:

Can you explain how you can pull up the properties after you select multiple
objects - I can't seem to get it working on the AD users and computers
version I have - 5.2.3718.0 with the advanced features enabled.

Ed