local administrator rights

G

Guest

Can anyone point me to a script or some method for when a site admin adds a
computer in their site to Active Directory that it gives them local
administrative rights on that computer automatically. I figured out how to
use a GPO for an OU to do this but the computers are created in the computer
object. So a second way to solve this would be a script or method that would
automatically move a computer to the appropriate OU depending on which site
admin joined it to the domain.

Thanks
 
H

Herb Martin

jbud said:
Can anyone point me to a script or some method for when a site admin adds a
computer in their site to Active Directory that it gives them local
administrative rights on that computer automatically. I figured out how to
use a GPO for an OU to do this but the computers are created in the computer
object. So a second way to solve this would be a script or method that would
automatically move a computer to the appropriate OU depending on which site
admin joined it to the domain.
Click to expand...

Not impossible to arrange (there was some related
discussion recently) but recognize that the script
in question would need to run on the NEW COMPUTER
to affect the computer's own Adminstrators group.

Easies is to do this with either a Restricted Group
through a GPO, or a logon script in the GPO.

BTW: What's a "site admin"? <grin>

There is no such technical distinction so we can only
guess what you actually do to arrange this.

Chances are that is an OU Admin -- made such by
delegating that User/Group authority over an OU
but this is only a guess.

If done this way, it is perfectly normal that this is
the ONLY place where the user could add the new
account (computer or user.)
 
G

Guest

Yeah sorry about the site admin thing. You are exactly right it is a
regionally split OU structure with each OU aka site having their own admin.
So if I understand you correctly if I have delegated a group authority over
this OU and therefore sub OUs then the computers that are joined by this user
will appear in their OU?

Thanks
 
H

Herb Martin

jbud said:
Yeah sorry about the site admin thing. You are exactly right it is a
regionally split OU structure with each OU aka site having their own admin.
So if I understand you correctly if I have delegated a group authority over
this OU and therefore sub OUs then the computers that are joined by this user
will appear in their OU?
Click to expand...

Or at least they will appear nowhere else.***

One caveat: By default every user can create 10
computer accounts in the domain (it solves another
anoying problem)

If you disable that my claim (nowhere else) will be true.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Machine vs. Domain Group Policy 11
Making a Domain Group Local Admins Via Group Policy 2
login Scripts not running 9
problem with restricted users 1
Windows 7 Restricting Rights 2
Manage computers 4
Problem with restricted groups 3
How to Auto Launch vbscript with elevated privs. AD using OU policy. 1

Top