downloadkid
IS-IT--Management
Evening Everyone
need some help with delegation in Server 2003.
Background;
I use Ghost console to deploy images to client PCs together with sysprep. The sysprep ini / answer file has all the details to join the PC to the domain. Everything works as it should. PC images, gets joined to the domain, named correctly and in the right OU.
The problem I have is that in order for it to work correctly I have to use the full admin account details in the sysprep ini file.
For obvious reasons this is not a good idea, best pracrtise dictates only assign the rights needed to an account to complete the job.
What I've done;
I created a gsg called TaskAdmin, then copied an admin account and removed membership to all groups except ; backup operators and domain users.
In the GPO on the DC under security local polocies; I added the TaskAdmin group to 'allowed user to add computers to the domain'. To the parent OU created for the various computer child OUs I delegated the right to add computer objects. This was done by 'creating a custom task to delegate' ,selecting the 'computer 'object, followed by 'create' objects in this folder' then finally 'create all child objects'
It doesn't seem to work..........
If I use the account to change for instance a computer name, as it would do during the image process i get an access denied.
This would indicate I haven't provided sufficient rights.
So finally the question;
What rights do i need to assign in order to make this work,
do i need for instance to assgn ; allowed to authenticate, read and write?
I have a similar issue with rights for backup purposes....I'll save that for when this has been resolved.
Many thanks in advance.
need some help with delegation in Server 2003.
Background;
I use Ghost console to deploy images to client PCs together with sysprep. The sysprep ini / answer file has all the details to join the PC to the domain. Everything works as it should. PC images, gets joined to the domain, named correctly and in the right OU.
The problem I have is that in order for it to work correctly I have to use the full admin account details in the sysprep ini file.
For obvious reasons this is not a good idea, best pracrtise dictates only assign the rights needed to an account to complete the job.
What I've done;
I created a gsg called TaskAdmin, then copied an admin account and removed membership to all groups except ; backup operators and domain users.
In the GPO on the DC under security local polocies; I added the TaskAdmin group to 'allowed user to add computers to the domain'. To the parent OU created for the various computer child OUs I delegated the right to add computer objects. This was done by 'creating a custom task to delegate' ,selecting the 'computer 'object, followed by 'create' objects in this folder' then finally 'create all child objects'
It doesn't seem to work..........
If I use the account to change for instance a computer name, as it would do during the image process i get an access denied.
This would indicate I haven't provided sufficient rights.
So finally the question;
What rights do i need to assign in order to make this work,
do i need for instance to assgn ; allowed to authenticate, read and write?
I have a similar issue with rights for backup purposes....I'll save that for when this has been resolved.
Many thanks in advance.
