Require Computer object before joining Workstation

G

Guest

We have a mid-sized Active Directory with a number of OUs, but the problem is
that a lot of division admins will simply join computers to the domain and
never put the computer object in the correct OU.

I would like some way of forcing local admins to first create the computer
object in their OU before it allows them to join the computer to the domain.
I am trying to avoid computers going to the default Computers OU.

Side note: The Division admins are not in the Domain Admins group. Each
Division has full access to its respective OU.

My ‘Plan B’ is to put a shutdown command in a login script for the Computers
OU, but I’m sure there is a better way.
 
G

Guest

Thanks for the info; quick follow-up question:

Okay, so I change the settings so that only domain admins have permission to
"Add workstations to domain" and to create objects in the default Computers
OU.

Now I will tell the division admin to create a computer object in his OU
(which he is able to do). Will the system then allow him to Add that
computer to the domain (considering that there is already an object created
and it just needs the secure channel password set)?
 
A

Andrei Ungureanu

quick answer: Yes (if his is the person that created the object, otherwise
there are some permissions that needs to be set on the object)


Andrei Ungureanu
www.eventid.net
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top