locked
Adding Computers to AD Domain RRS feed

  • Question

  • how does active directory decide what OU it stores computers that have just been added to a domain?


    pajoryan123
    Friday, March 5, 2010 9:17 AM

Answers

  • Hi, Pajor.

    There are two approaches - both using group policy, to doing this.

    1. Define an explicit list of entries that should exist in the local administrators group;
    2. Define an additive entry for the local administrators group.

    I'd recommend option 2, because unless you work in a very rigid environment where you never have to make ad-hoc changes, you won't get away with option 1.

    You will need the Group Policy Management Console for the following steps.

    1. Open the GPMC and edit the policy that you are applying to your computers.
    2. Expand Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups.
    3. Right-click and choose Add group...
    4. Click the Browse button and find the domain group you wish to add, and click OK when you're done.
    5. In the next dialog window (group properties), click the second Add button, with the section heading of "This group is a member of".
    6. Type in the word Administrators, don't browse for it.
    7. Click OK twice to accept the new entry, and you can close the group policy editor now.

    The next time the computer policy refreshes, the group will be added. You can force a refresh with the gpupdate /force command if you want to (from the command prompt).

    Cheers,
    Lain
    • Marked as answer by pajoryan123 Monday, March 8, 2010 2:07 PM
    Monday, March 8, 2010 9:31 AM

All replies

  • Hi, Pajor.

    You might want to have a read of this article: http://support.microsoft.com/default.aspx/kb/324949.

    Active Directory uses the values held within this binary object (wellKnownObjects) as the default destination point for computers created via normal tools that don't specify a location. That said, many tools now tools do allow you to specify the object location. Netdom and Windows Deployment Services, for example, have mechanisms in place for specifying an OU.

    Cheers,
    Lain
    • Proposed as answer by Meinolf Weber Monday, March 8, 2010 12:11 AM
    Friday, March 5, 2010 11:18 AM
  • thanks for the info Lain,

    another quick one; adding a computer to a domain puts the Domain Admins group into the local administrators group of the computer.
    Is it possible to add another AD group to the local administrators group of the computer during the "add to domain" process?

    pajoryan123
    Friday, March 5, 2010 1:31 PM
  • Hello pajoryan123.

    That process is handled by the use of Group Policy.  It is very easy to implement and widely used in enterprise environments where you want to assign a group of field techs the ability to have local admin access to workstations while not being members of the domain admins group.

    Read this microsoft article which provides  a good explanation.

    Description of Group Policy Restricted Groups
    http://support.microsoft.com/default.aspx/kb/279301




    Visit my blog: anITKB.com, an IT Knowledge Base.
    • Proposed as answer by Meinolf Weber Monday, March 8, 2010 12:10 AM
    Friday, March 5, 2010 3:53 PM
  • thanks Jorge,

    this article doesn't tell me how to implement the addition of another security group to the local administrators group on all workstations in an AD Domain.
    do you have a process for this?

    pajoryan123
    Monday, March 8, 2010 9:19 AM
  • Hi, Pajor.

    There are two approaches - both using group policy, to doing this.

    1. Define an explicit list of entries that should exist in the local administrators group;
    2. Define an additive entry for the local administrators group.

    I'd recommend option 2, because unless you work in a very rigid environment where you never have to make ad-hoc changes, you won't get away with option 1.

    You will need the Group Policy Management Console for the following steps.

    1. Open the GPMC and edit the policy that you are applying to your computers.
    2. Expand Computer Config > Policies > Windows Settings > Security Settings > Restricted Groups.
    3. Right-click and choose Add group...
    4. Click the Browse button and find the domain group you wish to add, and click OK when you're done.
    5. In the next dialog window (group properties), click the second Add button, with the section heading of "This group is a member of".
    6. Type in the word Administrators, don't browse for it.
    7. Click OK twice to accept the new entry, and you can close the group policy editor now.

    The next time the computer policy refreshes, the group will be added. You can force a refresh with the gpupdate /force command if you want to (from the command prompt).

    Cheers,
    Lain
    • Marked as answer by pajoryan123 Monday, March 8, 2010 2:07 PM
    Monday, March 8, 2010 9:31 AM
  • Hello Pajoryan123,

    Sorry for the delay in response.  Lain's description is well summarized.  I would recommend that you create a group in your domain called, "Workstation Admins" or something to that effect.

    You can create a group policy object and apply it to the OUs that contain computers.  You could apply it at the domain object level, but due to inheritence, it will also apply to the DCs which you probably want to avoid.  So you will need to take further steps to either apply it at a lower level, maybe have a "Parent" OU called Enterprise which is under the domain level.  So the policy you apply at this level will not include the Domain Controllers OU.  You need to think about that design.

    Following Lain's recommendation, you would add this "Workstation Admins" group to the Administrator's group on the PCs using the GPO.

    Now, as new admins come into the organization or leave the organization, all you have to do is modify the membership of this group.  No need to touch the GPO once it is implemented.

    Visit my blog: anITKB.com, an IT Knowledge Base.
    Monday, March 8, 2010 1:18 PM
  • Lain/Jorge,

    This is exactly what i'm looking for and works a treat.

    Many thanks to you both.

    pajoryan123
    Monday, March 8, 2010 2:07 PM