RE: [ActiveDir] Adding machines to OU directly

[Rick Kingslan]

Title: Message

Mayet,   What you will likely need to do is to proceed along the following lines:   1.  Right click on the OU of your choice and go to Security. 2.  Select Advanced / Add / Select the group that you want to accomplish the task 3.  By default, they should have READ, etc.  Scroll down and select Allow Create / Delete Computer Objects 4.  In the 'Apply on to:' dialog, select This Object and All Child Objects.  Hit 'Apply' to save what we have so far. 5.  Click 'Add' again in the Advanced Security dialog UI.  Select the group for the task (same group as above). 6.  In the 'Apply on to:' select 'Computer Objects' and grant Full Control 7.  Click 'OK' until you completely exit   This should do the following:  Allow the selected group to Create and Delete Computer Objects within the OU in which this delegation was done (yep - still delegation - not done through the Delegate Control selection, but this *IS* what goes on behind the scenes anyway....), then we delegated the permission to fully control Computer Objects - allowing the ability to create the various attributes that make up a computer object - but only computer objects, and nothing else.    As you go through this exercise, it's interesting to note how many permissions are associated with these objects.  Notice that there is a properties tab, too!  This is what allows one to change the name, etc., of an object as this is a property of the object.   Take your time as you go through this.  If you get a grasp of what happens in this delegation, then the rest of your permissions tasks will be much easier.   Good luck!   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayet, Yusuf Y Sent: Wednesday, July 16, 2003 11:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly Well seeing this discussion has started I would like to throw a curve ball.   In my environment I have chosen the route to train the junior lads into pre-creating the computer account into the relative OU.   I have delegated the following permission over "Computer Objects" to "Add and Remove computer objects"   The problem I am experiencing is that if the computer account already exists in the OU the error received is "access Denied"   Thanks in advance Yusuf   From: Sullivan, Kevin [mailto:[EMAIL PROTECTED] Sent: 16 July, 2003 17:14 PM To: [EMAIL PROTECTED]   You don't need to give them account operator rights. You give them 'specific' delegated rights. There could be some complex solutions that involve automating the process of looking through the computers container and moving computer account to the appropriate container (that is if you know the appropriate container via a name designation or something). This can be automated and scheduled but if you are too understaffed I doubt you will be able to find the time to develop this kind of solution. To have full functionality to address some of the complexities of AD management easily you will probably want to evaluate third part administrative tools. (<plug>Oh, yeah, my company has one.</plug>)   Kevin Sullivan Aelita Software www.aelita.com   From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 11:07 AM To: [EMAIL PROTECTED]   I saw that out on Technet. That's great as long as there is a person/group to handle that. We are understaffed and are looking for the OU admins to take care of this without giving them Account Operator rights.     Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rakes, Brandon A. NMIMC Contractor Sent: Wednesday, July 16, 2003 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Adding machines to OU directly The way we have done it is to delegate administrative rights to the OU and then create the computer account in that OU first and then add the computer. If there is another way to automatically make it go in the desired OU I would love to hear how.   Brandon   -----Original Message----- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 16, 2003 10:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Adding machines to OU directly   Is there a way to delegate to a user the right to not only add machines to a domain, but place the user into the OU of their choice? I'm looking for an easy way to allow OU administrators to add machines and then instead of having the machine going into the computers container, go directly into the OU. Maybe I'm making this too complicated......   Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477   __________________________________________________________________________________________________________________________________ For information about the Standard Bank group visit our web site <www.standardbank.co.za> __________________________________________________________________________________________________________________________________   Disclaimer and confidentiality note Everything in this e-mail and any attachments relating to the official business of Standard Bank Group Limited  is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of the group. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Standard Bank can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. ___________________________________________________________________________________________________________________________________