Specific AD Permissions?

I was wondering if there was a way in active directory to limit what can be moved to specific containers?

Here's my situation - I work for a company that has 28 plants, all plants have a Domain Controller, and there is a "main" domain controller at the corporate office.  Right now, no plant Lead IT Contacts have permission to move, say a new computer that has been built, into their corresponding plant computer container, they have to call up to the corp office and have them do it for them.  (These permissions were removed because of the few people who did not double check their actions, and moved the computers into a computer container at a different plant, which of course messed up group policies, etc.)  Is there a way to limit what can be moved by using a certain naming convention, or the like?
jjreeseAsked:
Who is Participating?
 
JohnGerhardtCommented:
Create a group, populate the group with users that you want to have access.. Then delegate control to that group to perform what you want to do...
0
 
JohnGerhardtCommented:
Not sure that is possible.. The only thing i can think of is to have an automated script that runs on the central DC that moves the machines according to naming convention into the correct OU. Then dont give anybody else permissions to move machines.. This however could cause trouble if the computer is named wrong...!
0
 
jjreeseAuthor Commented:
Would it be possible to do on the local DC's at each plant?  Or because of replication would that not work?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
JohnGerhardtCommented:
No you could do it at each DC as well. If you schedule the script to run with an account that has the elveated permissions to move machines then it will happily move things but any one else shouldnt be able to move htem anywhere else...
0
 
jjreeseAuthor Commented:
Is there a way to assign the permissions to do this to only a select few people? I'm assuming the domain admin account?  But the problem we'll run into with that, is the other plant IT contacts whining and complaining that "so and so has the ability", etc. etc..  What a pain....
0
 
jjreeseAuthor Commented:
Then is there a way to track who moved what, in case someone moved a machine to the wrong container, thus resulting in group policy errors, etc?
0
 
JohnGerhardtCommented:
Have a look @
http://downloads.zdnet.com/abstract.aspx?docid=352777

But consider the extra load on the DC for this...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.