No announcement yet.

Delegating permission to support staff

  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegating permission to support staff

    Dear All,

    I need some help regarding delegating some permissions to my support staff, I need them to:

    - join systems to domain
    - by default any system which join domain go to 'computers', but I don't want this for PC's and laptops because I've OU for Desktops and Laptops on which I've applied group policy like once the system is moved to this OU, office 2010 is installed and some certificates to the browser, so for my support staff I want when they join system to domain it go to OU of 'desktops' and 'laptops', how this can be done ?

    At this time I've the above requirements minimum to divide work load between myself and support staff.

    please let me know if my question is not clear.


  • #2
    Re: Delegating permission to support staff

    By default, all user accounts in AD can join up to 10 machines to the domain - this value can be changed through Group Policy.

    You can also change the default user and computer containers (where newly added computers/users go) using redircmp or redirusr (see If you create your desktop and laptop OUs under a parent OU, you can then delegate permission to move objects within those OUs only
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Delegating permission to support staff

      Many thanks to your quick response.
      My two OU's of desktop and laptop are not under one parent OU so I need to delegate on two OU's in my case ?

      Concerning the default location for computers users if I change it by following your given article then when joining any server , it will also go to my self created computers OU, right ? How to handle this


      • #4
        Re: Delegating permission to support staff

        There can only be one default for computer objects.

        The way to handle it is to either move the object after it's created from a domain join or to create the computer object in the OU of choice and then join the computer to the domain (names must match exactly).

        It's really not a big deal and the administrative burden is the same.

        Network Consultant/Engineer
        Baltimore - Washington area and beyond


        • #5
          Re: Delegating permission to support staff

          Just to add what Jeremy says about moving a computer object, it is a simple matter of Drag 'n Drop the object from the Default OU to the desired target OU.
          Joined: 23rd December 2003
          Departed: 23rd December 2015


          • #6
            Re: Delegating permission to support staff

            Alternately, you can use Powershell and a scheduled task to distribute these automatically.

            I have done that using Get-WMiObject cmdlet to identify the platform and hardware attributes then distribute the objects into whatever OU i need them to be in.
            Rules of life:
            1. Never do anything that requires thinking after 2:30 PM
            2. Simplicity is godliness
            3. Scale with extreme prejudice

            I occasionally post using a savantphone, so please don't laugh too hard at the typos...