Simple OU delegation and computer administration question, Windows 2003

So we're consolidating a slew of W2K and WNT domains into one gigantic one... and placing their respective standalone domains into OUs so...

Primary
-- W2K_1_OU
---- computers
---- users
-- W2K_2_OU
---- computers
---- users
...etc

We can delegate permissions to the OUs for AD management like a prior admin of W2K_2 domain to the now W2K_2_OU, but what of things like software installation? Say they have member servers in their new OU, what is the most efficient ways to give them control over their own servers?

I'm going through:
http://technet2.microsoft.com/windowsserver/en/library/ed0bb894-12a0-458d-9e5f-223e7303bfab1033.mspx?mfr=true 

... and subsequently: Restricted Groups Group Policy:
http://support.microsoft.com/kb/279301

But can't make sense of it. Probably because it's the end of the day. Suggestions?
SpottedBunnyAsked:
Who is Participating?
 
Ron MalmsteadInformation Services ManagerCommented:
You need to create a Global group, ...something like.... "AllDesktopAdmins"....
Within each OU, for each division...there should be seperate OU's, for Users, Groups, Computers, Servers.  In the Group's OU....each division will had an admins group... something like GAdesktopAdmins (Georgia Desktop Admins)....with it's members.  All of the admins groups will be "nested" into the "AllDesktopAdmins" Group which should also be mail enabled.....this will be used for contacting all of your IT people thoughout the organization...as well as setting enterprise wide permissions for mahcines..  You should create a GPO for each individual OU that will be applied to all of the "Computers" OU's in each divisional OU...so for GA...you might call it..."GAaddAdmins Policy".  Within this GPO....you will add a startup script....as follows.
- GAaddAdmins.vbs -
Dim oGrpLocal
On Error Resume Next
' you read then local administrator group
Set oGrpLocal = GetObject ("WinNT://./administrators,group")
If err.Number <> 0 then
 WScript.Quit
End If
' if the group you want to add to the administrator group isnt a member, add it...
If Not oGrpLocal.IsMember("WinNT://USA/GADesktopAdmins") Then
 oGrpLocal.Add "WinNT://USA/GADesktopAdmins"
End If

Now as long as those machines are in the Computers OU within the Georgia OU, and the GPO which has this script is linked to it....when these machines startup....the GAdesktopAdmins group will be added to the local admins group for all workstations in the OU.  Sometimes this script requires a couple machine reboots for group policy refresh after it is applied.

You can do the same for "GAfileServerAdmins"...etc.

Best practice...domain tree example

us.yourdomain.net
 ||
 ===  Corporate Office
 ||         ||  ||   ||   ||
 ||         ||  ||   ||   Servers
 ||         ||  ||   Workstations
 ||         ||  Users
 ||         Groups
 ||
===Georgia Division
 ||         ||  ||   ||   ||
 ||         ||  ||   ||   Servers
 ||         ||  ||   Workstations
 ||         ||  Users
 ||         Groups
 ||
 =====Kentucky Division
 ||         ||  ||   ||   ||
 ||         ||  ||   ||   Servers
 ||         ||  ||   Workstations
 ||         ||  Users
 ||         Groups
 ||
 ===All Distibution Lists
 ||
 ===New Workstations
0
 
starmonkeyCommented:
If I understand you question right...
install group policy management MMC snap-in.
Create 1 group policy containing the policies you want both to have (like software instalation), and link to both OUs
create 2 separate group policies from access control and link to individual OUs.  The policies should merge and give you what you want in each
0
 
SpottedBunnyAuthor Commented:
xuserx2000, so to revisit and finalize this answer... I just need to modify the following in the script:


If Not oGrpLocal.IsMember("WinNT://USA/GADesktopAdmins") Then
 oGrpLocal.Add "WinNT://USA/GADesktopAdmins"

- Where does the USA come from?
- What is the parameters of "WinNT://USA/GADesktopAdmins"?
- The domain you list is us.yourdomain.net, I surmise the above syntax should actually be "WinNT://US/GADesktopAdmins"?
- I don't need to drill down further, say "WinNT://US/Georgia Divison/GADesktopAdmins"?

Once this is clear I should be good to test it out. Sounds pretty neat!


0
 
Ron MalmsteadInformation Services ManagerCommented:
I would like to add that the "best practice" method to add local admins is to use group policy "restricted groups" settings, rather than a startup script.  This startup script will do the same thing however it is not policy enforced.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.