local administrator rights

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"jbud" <jbud@discussions.microsoft.com> wrote in message
news:75F87AB7-9E55-4296-B473-3091FBD03AD1@microsoft.com...
> Can anyone point me to a script or some method for when a site admin adds
a
> computer in their site to Active Directory that it gives them local
> administrative rights on that computer automatically. I figured out how to
> use a GPO for an OU to do this but the computers are created in the
computer
> object. So a second way to solve this would be a script or method that
would
> automatically move a computer to the appropriate OU depending on which
site
> admin joined it to the domain.

Not impossible to arrange (there was some related
discussion recently) but recognize that the script
in question would need to run on the NEW COMPUTER
to affect the computer's own Adminstrators group.

Easies is to do this with either a Restricted Group
through a GPO, or a logon script in the GPO.

BTW: What's a "site admin"? <grin>

There is no such technical distinction so we can only
guess what you actually do to arrange this.

Chances are that is an OU Admin -- made such by
delegating that User/Group authority over an OU
but this is only a guess.

If done this way, it is perfectly normal that this is
the ONLY place where the user could add the new
account (computer or user.)
--
Herb Martin


>
> Thanks

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"jbud" <jbud@discussions.microsoft.com> wrote in message
news9B6206E-8513-45BC-99E0-5CAF74ED25FA@microsoft.com...
> Yeah sorry about the site admin thing. You are exactly right it is a
> regionally split OU structure with each OU aka site having their own
admin.
> So if I understand you correctly if I have delegated a group authority
over
> this OU and therefore sub OUs then the computers that are joined by this
user
> will appear in their OU?

Or at least they will appear nowhere else.***

One caveat: By default every user can create 10
computer accounts in the domain (it solves another
anoying problem)

If you disable that my claim (nowhere else) will be true.

--
Herb Martin


>
> Thanks
>
> "Herb Martin" wrote:
>
> > "jbud" <jbud@discussions.microsoft.com> wrote in message
> > news:75F87AB7-9E55-4296-B473-3091FBD03AD1@microsoft.com...
> > > Can anyone point me to a script or some method for when a site admin
adds
> > a
> > > computer in their site to Active Directory that it gives them local
> > > administrative rights on that computer automatically. I figured out
how to
> > > use a GPO for an OU to do this but the computers are created in the
> > computer
> > > object. So a second way to solve this would be a script or method that
> > would
> > > automatically move a computer to the appropriate OU depending on which
> > site
> > > admin joined it to the domain.
> >
> > Not impossible to arrange (there was some related
> > discussion recently) but recognize that the script
> > in question would need to run on the NEW COMPUTER
> > to affect the computer's own Adminstrators group.
> >
> > Easies is to do this with either a Restricted Group
> > through a GPO, or a logon script in the GPO.
> >
> > BTW: What's a "site admin"? <grin>
> >
> > There is no such technical distinction so we can only
> > guess what you actually do to arrange this.
> >
> > Chances are that is an OU Admin -- made such by
> > delegating that User/Group authority over an OU
> > but this is only a guess.
> >
> > If done this way, it is perfectly normal that this is
> > the ONLY place where the user could add the new
> > account (computer or user.)
> > --
> > Herb Martin
> >
> >
> > >
> > > Thanks
> >
> >
> >