[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Simple OU delegation and computer administration question, Windows 2003

Posted on 2007-08-09
6
Medium Priority
?
516 Views
Last Modified: 2012-05-05
So we're consolidating a slew of W2K and WNT domains into one gigantic one... and placing their respective standalone domains into OUs so...

Primary
-- W2K_1_OU
---- computers
---- users
-- W2K_2_OU
---- computers
---- users
...etc

We can delegate permissions to the OUs for AD management like a prior admin of W2K_2 domain to the now W2K_2_OU, but what of things like software installation? Say they have member servers in their new OU, what is the most efficient ways to give them control over their own servers?

I'm going through:
http://technet2.microsoft.com/windowsserver/en/library/ed0bb894-12a0-458d-9e5f-223e7303bfab1033.mspx?mfr=true 

... and subsequently: Restricted Groups Group Policy:
http://support.microsoft.com/kb/279301

But can't make sense of it. Probably because it's the end of the day. Suggestions?
0
Comment
Question by:SpottedBunny
  • 2
4 Comments
 
LVL 4

Expert Comment

by:starmonkey
ID: 19666138
If I understand you question right...
install group policy management MMC snap-in.
Create 1 group policy containing the policies you want both to have (like software instalation), and link to both OUs
create 2 separate group policies from access control and link to individual OUs.  The policies should merge and give you what you want in each
0
 
LVL 25

Accepted Solution

by:
Ron Malmstead earned 2000 total points
ID: 19666238
You need to create a Global group, ...something like.... "AllDesktopAdmins"....
Within each OU, for each division...there should be seperate OU's, for Users, Groups, Computers, Servers.  In the Group's OU....each division will had an admins group... something like GAdesktopAdmins (Georgia Desktop Admins)....with it's members.  All of the admins groups will be "nested" into the "AllDesktopAdmins" Group which should also be mail enabled.....this will be used for contacting all of your IT people thoughout the organization...as well as setting enterprise wide permissions for mahcines..  You should create a GPO for each individual OU that will be applied to all of the "Computers" OU's in each divisional OU...so for GA...you might call it..."GAaddAdmins Policy".  Within this GPO....you will add a startup script....as follows.
- GAaddAdmins.vbs -
Dim oGrpLocal
On Error Resume Next
' you read then local administrator group
Set oGrpLocal = GetObject ("WinNT://./administrators,group")
If err.Number <> 0 then
 WScript.Quit
End If
' if the group you want to add to the administrator group isnt a member, add it...
If Not oGrpLocal.IsMember("WinNT://USA/GADesktopAdmins") Then
 oGrpLocal.Add "WinNT://USA/GADesktopAdmins"
End If

Now as long as those machines are in the Computers OU within the Georgia OU, and the GPO which has this script is linked to it....when these machines startup....the GAdesktopAdmins group will be added to the local admins group for all workstations in the OU.  Sometimes this script requires a couple machine reboots for group policy refresh after it is applied.

You can do the same for "GAfileServerAdmins"...etc.

Best practice...domain tree example

us.yourdomain.net
 ||
 ===  Corporate Office
 ||         ||  ||   ||   ||
 ||         ||  ||   ||   Servers
 ||         ||  ||   Workstations
 ||         ||  Users
 ||         Groups
 ||
===Georgia Division
 ||         ||  ||   ||   ||
 ||         ||  ||   ||   Servers
 ||         ||  ||   Workstations
 ||         ||  Users
 ||         Groups
 ||
 =====Kentucky Division
 ||         ||  ||   ||   ||
 ||         ||  ||   ||   Servers
 ||         ||  ||   Workstations
 ||         ||  Users
 ||         Groups
 ||
 ===All Distibution Lists
 ||
 ===New Workstations
0
 

Author Comment

by:SpottedBunny
ID: 19971020
xuserx2000, so to revisit and finalize this answer... I just need to modify the following in the script:


If Not oGrpLocal.IsMember("WinNT://USA/GADesktopAdmins") Then
 oGrpLocal.Add "WinNT://USA/GADesktopAdmins"

- Where does the USA come from?
- What is the parameters of "WinNT://USA/GADesktopAdmins"?
- The domain you list is us.yourdomain.net, I surmise the above syntax should actually be "WinNT://US/GADesktopAdmins"?
- I don't need to drill down further, say "WinNT://US/Georgia Divison/GADesktopAdmins"?

Once this is clear I should be good to test it out. Sounds pretty neat!


0
 
LVL 25

Expert Comment

by:Ron Malmstead
ID: 21907508
I would like to add that the "best practice" method to add local admins is to use group policy "restricted groups" settings, rather than a startup script.  This startup script will do the same thing however it is not policy enforced.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question