Precreating Computers In Active Directory
Monday, August 4, 2008
This is a simple one that goes back to a conversation I had with a consultant. We were talking about adding a computer to a domain and then moving the computer to the designated OU that was dedicated to that site. I made the comment that it might be even better to precreate the computer account in the appropriate OU and then you don't need to bug a domain administrator to do the moving around. His reply was something like "Yea I haven't had good luck with that." That's one of my favorite reasons for technical problems. It's kind of like saying, I tried it once, it didn't work, so it must be broken.
Why Do This?
Anyways, the real reason that you would want to do this is if you have a team of IT staff where a few have domain administrators rights but most of them are just local admins on the workstations to provide support and install software. Adding a computer to the domain would be a normal task for these kind of support staff.
Problem
So you have a brand new computer that you want to add to your network. You assign on of the non domain admins to install necessary software and join it to the domain. When he adds it to the domain, the computer is dumped into the "computers" folder in AD where the appropriate group policies and delegated access is NOT applied. You want the new computer to go into a separate OU but you don't want to grant the user access to move or manipulate Active Directory AND you want to delegate the entire process to the admins so that you don't need to be involved in the specifics. So what do you do?
Solution
If you precreate the computer in the appropriate OU in Active Directory, when that computer is joined to the domain, it will have the group policies and permissions that it needs. As a domain admin, you can precreate the computer account yourself but you'd rather delegate access the IT support team. Here's how you do it:
Delegate Control To Non-Domain Admins
- Open Active Directory Users and Computers
- Right click on the OU and then click All Tasks>Delegate Control
- Click Add and put in the appropriate user or group (IT Admins)
- Click "create a custom task to delegate"
- Click "only the following objects in this folder"
- Check Computer Objects
- Check "Create selected objects in this folder"
- Under "Show these permissions" uncheck everything and click "Next"
You've now granted non-admins access to create computers inside of that OU.
Pre-Create New Computer
These are the tasks for the non-admin to perform using the Server 2003 Admin Pack
- In Active Directory Users and Computers, right click the target OU the computer should go to and choose New>Computer
- Name the computer
- Under "The following users or group can join this computer to the domain" choose a group that has appropriate access like "IT Admins" or "Domain Users" to allow anyone do it.
This is the step that is usually missed. If you don't do this, then by default Domain Admins are the only one that can add the computer to the domain.
- Click Next
Now on the client you go through the normal process of adding the computer to the domain.Labels: active directory, group policy, system administration, windows server 2003
This is a simple one that goes back to a conversation I had with a consultant. We were talking about adding a computer to a domain and then moving the computer to the designated OU that was dedicated to that site. I made the comment that it might be even better to precreate the computer account in the appropriate OU and then you don't need to bug a domain administrator to do the moving around. His reply was something like "Yea I haven't had good luck with that." That's one of my favorite reasons for technical problems. It's kind of like saying, I tried it once, it didn't work, so it must be broken.
Why Do This?
Anyways, the real reason that you would want to do this is if you have a team of IT staff where a few have domain administrators rights but most of them are just local admins on the workstations to provide support and install software. Adding a computer to the domain would be a normal task for these kind of support staff.
Problem
So you have a brand new computer that you want to add to your network. You assign on of the non domain admins to install necessary software and join it to the domain. When he adds it to the domain, the computer is dumped into the "computers" folder in AD where the appropriate group policies and delegated access is NOT applied. You want the new computer to go into a separate OU but you don't want to grant the user access to move or manipulate Active Directory AND you want to delegate the entire process to the admins so that you don't need to be involved in the specifics. So what do you do?
Solution
If you precreate the computer in the appropriate OU in Active Directory, when that computer is joined to the domain, it will have the group policies and permissions that it needs. As a domain admin, you can precreate the computer account yourself but you'd rather delegate access the IT support team. Here's how you do it:
Delegate Control To Non-Domain Admins
- Open Active Directory Users and Computers
- Right click on the OU and then click All Tasks>Delegate Control
- Click Add and put in the appropriate user or group (IT Admins)
- Click "create a custom task to delegate"
- Click "only the following objects in this folder"
- Check Computer Objects
- Check "Create selected objects in this folder"
- Under "Show these permissions" uncheck everything and click "Next"
Pre-Create New Computer
These are the tasks for the non-admin to perform using the Server 2003 Admin Pack- In Active Directory Users and Computers, right click the target OU the computer should go to and choose New>Computer
- Name the computer
- Under "The following users or group can join this computer to the domain" choose a group that has appropriate access like "IT Admins" or "Domain Users" to allow anyone do it.
This is the step that is usually missed. If you don't do this, then by default Domain Admins are the only one that can add the computer to the domain. - Click Next
Labels: active directory, group policy, system administration, windows server 2003