Mayet,
What you will likely need to do is to proceed along the
following lines:
1. Right click on the OU of your choice and go to
Security.
2. Select Advanced / Add / Select the group that you
want to accomplish the task
3. By default, they should have READ, etc.
Scroll down and select Allow Create / Delete Computer
Objects
4. In the 'Apply on to:' dialog, select This Object
and All Child Objects. Hit 'Apply' to save what we have so
far.
5. Click 'Add' again in the Advanced Security dialog
UI. Select the group for the task (same group as
above).
6. In the 'Apply on to:' select 'Computer Objects'
and grant Full Control
7. Click 'OK' until you completely
exit
This should do the following: Allow the selected
group to Create and Delete Computer Objects within the OU in which this
delegation was done (yep - still delegation - not done through the Delegate
Control selection, but this *IS* what goes on behind the scenes anyway....),
then we delegated the permission to fully control Computer Objects - allowing
the ability to create the various attributes that make up a computer object -
but only computer objects, and nothing else.
As you go through this exercise, it's interesting to note
how many permissions are associated with these objects. Notice that there
is a properties tab, too! This is what allows one to change the name,
etc., of an object as this is a property of the object.
Take your time as you go through this. If you get a
grasp of what happens in this delegation, then the rest of your permissions
tasks will be much easier.
Good luck!
Rick
Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y Sent: Wednesday, July 16, 2003 11:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly Well seeing this discussion has started I would like to throw a curve ball.
In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU.
I have delegated the following permission over "Computer Objects" to "Add and Remove computer objects"
The problem I am experiencing is that if the computer account already exists in the OU the error received is "access Denied"
Thanks in advance Yusuf
From: Sullivan,
Kevin [mailto:[EMAIL PROTECTED]
You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (<plug>Oh, yeah, my company has one.</plug>)
Kevin Sullivan Aelita Software www.aelita.com
From: Chris
Flesher [mailto:[EMAIL PROTECTED]
I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights.
Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477
__________________________________________________________________________________________________________________________________
For information about the Standard Bank group visit our web site <www.standardbank.co.za>
__________________________________________________________________________________________________________________________________ Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___________________________________________________________________________________________________________________________________ |
Title: Message
- [ActiveDir] Adding machines to OU dire... Chris Flesher
- RE: [ActiveDir] Adding machines t... Rakes, Brandon A. NMIMC Contractor
- RE: [ActiveDir] Adding machin... Chris Flesher
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Mayet, Yusuf Y
- RE: [ActiveDir] Adding machin... Rick Kingslan
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Mayet, Yusuf Y
- RE: [ActiveDir] Adding machines t... Free, Bob
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Coleman, Hunter
- RE: [ActiveDir] Adding machines t... Sullivan, Kevin
- RE: [ActiveDir] Adding machines t... Wright, T. MR NSSB
- RE: [ActiveDir] Adding machines t... Ayers, Diane
- RE: [ActiveDir] Adding machines t... deji
- RE: [ActiveDir] Adding machines t... GRILLENMEIER,GUIDO (HP-Germany,ex1)