pmmcateer wrote: » Is there a reason your help desk staff need to be able to remove the computer from the domain once joined, then rejoin? What is the error they get if they don't delete from AD and try to rejoin?
Mojo_666 wrote: » TBH real world techs do not join computers to the domain as it is scripted/automated into the build process. if using RIS the guid is an atribute in the computer object, in the MDT and SCCM you have a database that holds that info but either way you never want that info deleted.
eserfeliz wrote: » Can you tell me where these permissions are set/delegated? Do I need to create a GPO to do this?
Mojo_666 wrote: » Well tbh I do not quite get what you want to do exactly but you can set permissions over AD objects such as users, computers, groups and OU's etc by selecting the "advanced" view and modifying the security permission as you would do with any other object, that is how I administer my support people and assign perms to build/instal/service accounts.
earweed wrote: » You may be better served by prestaging your computers in AD.Prestaging Client Computers As far as how to move them and how to grant permission to those who should be able to move them (from the computer container to the appropriate OU or group)How to Grant Permission to Move Computer Accounts to a User or Group By default when you join a computer to AD it is added to the computers container. Hope this helps I'm not sure why exactly your helpdesk people have to join computers to a workgroup in order to be placed in the correct OU or group. My only guess is that they don't have permission to move the computers in AD and that is what I've addressed.
