How to create a filter in Active Directory to show only ‘Enabled’ Computer Accounts

In AD Users & Computers, you'll find a 'Managed By' field for each computer object. You can add the user's AD account to this field, and use it to identify the owner of the workstation.

As I understand it, there's no extra permissions granted by adding a user into the 'Managed By' field. It's just there to keep a record.

Another way that I've employed is to standardize the 'Description' field so that it holds a consistent set of information. For example, in a computer's description field you could have:

Desktop, Brisbane, Dell Optiplex 720, Fred Bloggs, 01-02-2007

From that, parsing through and pulling out a location, computer type, model, user's name, or date of purchase is pretty simple. You can also have your logon script copy the same information into the OS's machine description field, too.

One other option - AD allows you to extend and enhance it's schema, like other databases. You can use this to add custom fields. This is a bit more involved, and you're running the risk of violating the 'don't mess with the defaults unless you have no choice' rule of network administration.

It's quite possible to do this. On your Student OU (assuming you have one) set a permission to modify it. To set it up right, in ADU&C, go to the OU object, right click and go to Properties

• On the Security tab, click Advanced
• Add the user
• Select the Properties tab
• Change it to "All Descendant User Objects"
• Check "Read" and "Write" to "UserAccountControl"

That object will now be able to set the account state for all user objects in that OU.

How we've handled this problem is by creating a web application with its own authentication (we use our SSO solution to manage access to it) that handles these requests from your exception-desiring technicians. The web-app then performs the actions with the account created above. The app acts as an auditable proxy for who is unlocking what.