Howdie!
Glen schrieb:
> Currently, the Computer OU is the default container where new computer
> accounts are added. The problem is, I end up with all sorts of accounts
> there and they are never moved to the right OU.
>
> I would like to require that the computer account be created first, or at
> least restrict access to the default Computers OU so new accounts can not be
> created by non-domain admins.
>
> I don't see anything security settings in the ACL that should allow accounts
> to be created by non-admins but it still seems to be happening. The only
> account that I think might be allowing this to happen is the System Account
> which has Full Control but I"m leary to change the settings on that.
Yeah - what you noticed is correct. Users are allowed to join up to 10
machines to the domain (by default). They don't need to have admin privs
to do that. Meinolf already provided you with a link on how you can
disable that - or change the default number of machines they can add.
When setting the number to 0, I would also make sure a certain group of
people (let them be the Helpdesk, any 2nd level support folks..) have
the ability to create machine accounts other than you. You certainly
don't want to run and rush to join machines to the domain..
Another aproach that I've seen pretty often is using redircmp (and
redirusr). That let's you specify another default location - possibly an
OU, other than the "Computers" container that is built-in. Like that,
you could create a standard Group Policy newly joined machines apply.
I've seen folks link Software Installation policies or prep-scripts to
such an OU.
Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog:
http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.
Similar Threads
Linear Mode
