Specific AD Permissions?

I was wondering if there was a way in active directory to limit what can be moved to specific containers?

Here's my situation - I work for a company that has 28 plants, all plants have a Domain Controller, and there is a "main" domain controller at the corporate office.  Right now, no plant Lead IT Contacts have permission to move, say a new computer that has been built, into their corresponding plant computer container, they have to call up to the corp office and have them do it for them.  (These permissions were removed because of the few people who did not double check their actions, and moved the computers into a computer container at a different plant, which of course messed up group policies, etc.)  Is there a way to limit what can be moved by using a certain naming convention, or the like?
jjreeseAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnGerhardtCommented:
Not sure that is possible.. The only thing i can think of is to have an automated script that runs on the central DC that moves the machines according to naming convention into the correct OU. Then dont give anybody else permissions to move machines.. This however could cause trouble if the computer is named wrong...!
jjreeseAuthor Commented:
Would it be possible to do on the local DC's at each plant?  Or because of replication would that not work?
JohnGerhardtCommented:
No you could do it at each DC as well. If you schedule the script to run with an account that has the elveated permissions to move machines then it will happily move things but any one else shouldnt be able to move htem anywhere else...
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

jjreeseAuthor Commented:
Is there a way to assign the permissions to do this to only a select few people? I'm assuming the domain admin account?  But the problem we'll run into with that, is the other plant IT contacts whining and complaining that "so and so has the ability", etc. etc..  What a pain....
JohnGerhardtCommented:
Create a group, populate the group with users that you want to have access.. Then delegate control to that group to perform what you want to do...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jjreeseAuthor Commented:
Then is there a way to track who moved what, in case someone moved a machine to the wrong container, thus resulting in group policy errors, etc?
JohnGerhardtCommented:
Have a look @
http://downloads.zdnet.com/abstract.aspx?docid=352777

But consider the extra load on the DC for this...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.