?
Solved

Specific AD Permissions?

Posted on 2008-11-05
7
Medium Priority
?
168 Views
Last Modified: 2010-03-17
I was wondering if there was a way in active directory to limit what can be moved to specific containers?

Here's my situation - I work for a company that has 28 plants, all plants have a Domain Controller, and there is a "main" domain controller at the corporate office.  Right now, no plant Lead IT Contacts have permission to move, say a new computer that has been built, into their corresponding plant computer container, they have to call up to the corp office and have them do it for them.  (These permissions were removed because of the few people who did not double check their actions, and moved the computers into a computer container at a different plant, which of course messed up group policies, etc.)  Is there a way to limit what can be moved by using a certain naming convention, or the like?
0
Comment
Question by:jjreese
  • 4
  • 3
7 Comments
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 22887590
Not sure that is possible.. The only thing i can think of is to have an automated script that runs on the central DC that moves the machines according to naming convention into the correct OU. Then dont give anybody else permissions to move machines.. This however could cause trouble if the computer is named wrong...!
0
 

Author Comment

by:jjreese
ID: 22887623
Would it be possible to do on the local DC's at each plant?  Or because of replication would that not work?
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 22887692
No you could do it at each DC as well. If you schedule the script to run with an account that has the elveated permissions to move machines then it will happily move things but any one else shouldnt be able to move htem anywhere else...
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:jjreese
ID: 22887721
Is there a way to assign the permissions to do this to only a select few people? I'm assuming the domain admin account?  But the problem we'll run into with that, is the other plant IT contacts whining and complaining that "so and so has the ability", etc. etc..  What a pain....
0
 
LVL 17

Accepted Solution

by:
JohnGerhardt earned 1500 total points
ID: 22887921
Create a group, populate the group with users that you want to have access.. Then delegate control to that group to perform what you want to do...
0
 

Author Comment

by:jjreese
ID: 22887985
Then is there a way to track who moved what, in case someone moved a machine to the wrong container, thus resulting in group policy errors, etc?
0
 
LVL 17

Expert Comment

by:JohnGerhardt
ID: 22888059
Have a look @
http://downloads.zdnet.com/abstract.aspx?docid=352777

But consider the extra load on the DC for this...
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question