local administrator rights

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Can anyone point me to a script or some method for when a site admin adds a
computer in their site to Active Directory that it gives them local
administrative rights on that computer automatically. I figured out how to
use a GPO for an OU to do this but the computers are created in the computer
object. So a second way to solve this would be a script or method that would
automatically move a computer to the appropriate OU depending on which site
admin joined it to the domain.

Thanks
3 answers Last reply
More about local administrator rights
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "jbud" <jbud@discussions.microsoft.com> wrote in message
    news:75F87AB7-9E55-4296-B473-3091FBD03AD1@microsoft.com...
    > Can anyone point me to a script or some method for when a site admin adds
    a
    > computer in their site to Active Directory that it gives them local
    > administrative rights on that computer automatically. I figured out how to
    > use a GPO for an OU to do this but the computers are created in the
    computer
    > object. So a second way to solve this would be a script or method that
    would
    > automatically move a computer to the appropriate OU depending on which
    site
    > admin joined it to the domain.

    Not impossible to arrange (there was some related
    discussion recently) but recognize that the script
    in question would need to run on the NEW COMPUTER
    to affect the computer's own Adminstrators group.

    Easies is to do this with either a Restricted Group
    through a GPO, or a logon script in the GPO.

    BTW: What's a "site admin"? <grin>

    There is no such technical distinction so we can only
    guess what you actually do to arrange this.

    Chances are that is an OU Admin -- made such by
    delegating that User/Group authority over an OU
    but this is only a guess.

    If done this way, it is perfectly normal that this is
    the ONLY place where the user could add the new
    account (computer or user.)
    --
    Herb Martin


    >
    > Thanks
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Yeah sorry about the site admin thing. You are exactly right it is a
    regionally split OU structure with each OU aka site having their own admin.
    So if I understand you correctly if I have delegated a group authority over
    this OU and therefore sub OUs then the computers that are joined by this user
    will appear in their OU?

    Thanks

    "Herb Martin" wrote:

    > "jbud" <jbud@discussions.microsoft.com> wrote in message
    > news:75F87AB7-9E55-4296-B473-3091FBD03AD1@microsoft.com...
    > > Can anyone point me to a script or some method for when a site admin adds
    > a
    > > computer in their site to Active Directory that it gives them local
    > > administrative rights on that computer automatically. I figured out how to
    > > use a GPO for an OU to do this but the computers are created in the
    > computer
    > > object. So a second way to solve this would be a script or method that
    > would
    > > automatically move a computer to the appropriate OU depending on which
    > site
    > > admin joined it to the domain.
    >
    > Not impossible to arrange (there was some related
    > discussion recently) but recognize that the script
    > in question would need to run on the NEW COMPUTER
    > to affect the computer's own Adminstrators group.
    >
    > Easies is to do this with either a Restricted Group
    > through a GPO, or a logon script in the GPO.
    >
    > BTW: What's a "site admin"? <grin>
    >
    > There is no such technical distinction so we can only
    > guess what you actually do to arrange this.
    >
    > Chances are that is an OU Admin -- made such by
    > delegating that User/Group authority over an OU
    > but this is only a guess.
    >
    > If done this way, it is perfectly normal that this is
    > the ONLY place where the user could add the new
    > account (computer or user.)
    > --
    > Herb Martin
    >
    >
    > >
    > > Thanks
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "jbud" <jbud@discussions.microsoft.com> wrote in message
    news:D9B6206E-8513-45BC-99E0-5CAF74ED25FA@microsoft.com...
    > Yeah sorry about the site admin thing. You are exactly right it is a
    > regionally split OU structure with each OU aka site having their own
    admin.
    > So if I understand you correctly if I have delegated a group authority
    over
    > this OU and therefore sub OUs then the computers that are joined by this
    user
    > will appear in their OU?

    Or at least they will appear nowhere else.***

    One caveat: By default every user can create 10
    computer accounts in the domain (it solves another
    anoying problem)

    If you disable that my claim (nowhere else) will be true.

    --
    Herb Martin


    >
    > Thanks
    >
    > "Herb Martin" wrote:
    >
    > > "jbud" <jbud@discussions.microsoft.com> wrote in message
    > > news:75F87AB7-9E55-4296-B473-3091FBD03AD1@microsoft.com...
    > > > Can anyone point me to a script or some method for when a site admin
    adds
    > > a
    > > > computer in their site to Active Directory that it gives them local
    > > > administrative rights on that computer automatically. I figured out
    how to
    > > > use a GPO for an OU to do this but the computers are created in the
    > > computer
    > > > object. So a second way to solve this would be a script or method that
    > > would
    > > > automatically move a computer to the appropriate OU depending on which
    > > site
    > > > admin joined it to the domain.
    > >
    > > Not impossible to arrange (there was some related
    > > discussion recently) but recognize that the script
    > > in question would need to run on the NEW COMPUTER
    > > to affect the computer's own Adminstrators group.
    > >
    > > Easies is to do this with either a Restricted Group
    > > through a GPO, or a logon script in the GPO.
    > >
    > > BTW: What's a "site admin"? <grin>
    > >
    > > There is no such technical distinction so we can only
    > > guess what you actually do to arrange this.
    > >
    > > Chances are that is an OU Admin -- made such by
    > > delegating that User/Group authority over an OU
    > > but this is only a guess.
    > >
    > > If done this way, it is perfectly normal that this is
    > > the ONLY place where the user could add the new
    > > account (computer or user.)
    > > --
    > > Herb Martin
    > >
    > >
    > > >
    > > > Thanks
    > >
    > >
    > >
Ask a new question

Read More

Computers Active Directory Windows