Specific AD Permissions?
I was wondering if there was a way in active directory to limit what can be moved to specific containers?
Here's my situation - I work for a company that has 28 plants, all plants have a Domain Controller, and there is a "main" domain controller at the corporate office. Right now, no plant Lead IT Contacts have permission to move, say a new computer that has been built, into their corresponding plant computer container, they have to call up to the corp office and have them do it for them. (These permissions were removed because of the few people who did not double check their actions, and moved the computers into a computer container at a different plant, which of course messed up group policies, etc.) Is there a way to limit what can be moved by using a certain naming convention, or the like?
Here's my situation - I work for a company that has 28 plants, all plants have a Domain Controller, and there is a "main" domain controller at the corporate office. Right now, no plant Lead IT Contacts have permission to move, say a new computer that has been built, into their corresponding plant computer container, they have to call up to the corp office and have them do it for them. (These permissions were removed because of the few people who did not double check their actions, and moved the computers into a computer container at a different plant, which of course messed up group policies, etc.) Is there a way to limit what can be moved by using a certain naming convention, or the like?
JohnGerhardt
Not sure that is possible.. The only thing i can think of is to have an automated script that runs on the central DC that moves the machines according to naming convention into the correct OU. Then dont give anybody else permissions to move machines.. This however could cause trouble if the computer is named wrong...!
ASKER
Would it be possible to do on the local DC's at each plant? Or because of replication would that not work?
No you could do it at each DC as well. If you schedule the script to run with an account that has the elveated permissions to move machines then it will happily move things but any one else shouldnt be able to move htem anywhere else...
ASKER
Is there a way to assign the permissions to do this to only a select few people? I'm assuming the domain admin account? But the problem we'll run into with that, is the other plant IT contacts whining and complaining that "so and so has the ability", etc. etc.. What a pain....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Then is there a way to track who moved what, in case someone moved a machine to the wrong container, thus resulting in group policy errors, etc?
Have a look @
http://downloads.zdnet.com/abstract.aspx?docid=352777
But consider the extra load on the DC for this...
http://downloads.zdnet.com/abstract.aspx?docid=352777
But consider the extra load on the DC for this...