Require Computer object before joining Workstation

[Guest]

We have a mid-sized Active Directory with a number of OUs, but the problem is
that a lot of division admins will simply join computers to the domain and
never put the computer object in the correct OU.

I would like some way of forcing local admins to first create the computer
object in their OU before it allows them to join the computer to the domain.
I am trying to avoid computers going to the default Computers OU.

Side note: The Division admins are not in the Domain Admins group. Each
Division has full access to its respective OU.

My ‘Plan B’ is to put a shutdown command in a login script for the Computers
OU, but I’m sure there is a better way.

 

[Andrei Ungureanu]

yeap there is a better way.
Remove Authenticated Users from "Add workstations to domain" policy setting.

a description of this right is here:
http://www.microsoft.com/resources/...n/Windows/2000/server/reskit/en-us/gp/526.asp

Andrei Ungureanu
ww.eventid.net

 

[Guest]

Thanks for the info; quick follow-up question:

Okay, so I change the settings so that only domain admins have permission to
"Add workstations to domain" and to create objects in the default Computers
OU.

Now I will tell the division admin to create a computer object in his OU
(which he is able to do). Will the system then allow him to Add that
computer to the domain (considering that there is already an object created
and it just needs the secure channel password set)?

 

[Andrei Ungureanu]

quick answer: Yes (if his is the person that created the object, otherwise
there are some permissions that needs to be set on the object)


Andrei Ungureanu
www.eventid.net